Is it possible to dynamize "requires" at RPM build time?
Kai Engert
kengert at redhat.com
Wed Aug 23 18:12:40 UTC 2006
Kai Engert wrote:
> Matthew Miller wrote:
>> On Tue, Aug 22, 2006 at 11:40:55PM +0200, Kai Engert wrote:
>>
>>> A "Requires:" entry in a SPEC file may define the smallest library
>>> version acceptable for the resulting RPM package.
>>> Is it possible by some SPEC logic, to make a "Requires:" entry dynamic?
>>> In other words, is it possible, at RPM build time, to query the
>>> installed library release in the build environment, and have the
>>> produced RPM be dependent on >= that library version?
>>>
>>
>> Yes,
> How would you do that?
> Thanks in advance for explaining.
>
>> but it shouldn't be necessary. Does the library you're linking against
>> have issues with a broken soname?
>>
> I'll write a follow up post that describes why I consider it.
I was considering this for all Mozilla applications and its Requires
statement for library NSS.
The NSS library does not change its .so names , not even when exporting
additional symbols in the library.
The NSS project follows the rule, that when building against a certain
version of the library, you should use at least that library version -
or a newer version.
In other words, the project follows a compatibility model, where you are
always allowed to drop in a newer library release, and your application
will continue to work.
Usually when new exported symbols are added, this won't introduce new
dependencies for the application, when the application simply gets
rebuilt. Only if the application makes use of the new symbols a new
dependency will get introduced.
Now we recently ran into a situation, where an updated NSS release
exported an additional symbol. NSS made use of this symbol internally.
Unfortunately, it uses this symbol in a static .a library, and Mozilla
links with that static library!
So when the Mozilla application got rebuilt, the dependency on the new
exported symbol was implicitly added.
This caused SSL to stop working in Firefox, after end users upgraded
Firefox only, without upgrading the NSS package.
We identified the cause of this issue and the NSS team intends to get
rid of this .a library, and convert it into an .so library in a future
NSS release. This way it should no longer be possible to introduce
implicit new dependencies when building against a newer NSS library release.
Until the .a library can get removed, we'll have to avoid adding new
symbols in the same way again, by carefully reviewing the impact of new
introduced symbols.
I asked my question to dynamize the Requires: because it would help
ensure the recommendation of the NSS team, that at runtime you should
use at least the version you built against.
If we used this dynamic approach, we would be able to avoid future
dependency bugs like this - even if the .a lib is kept and if such a
mistake happens again.
I already promised to Chris Aillon, who is the Firefox RPM maintainer,
that the NSS team will look into removing the .a lib soon. But now that
I have learned a dynamic Requires: is possible, I would like to propose
to use this mechanism, too.
Because in addition it would ensure that end users updated to the latest
security update of the NSS library, even if they intended to only update
the Firefox package.
Regarding the way to do it, Rex Dieter proposed to use "nss-config
--version".
This looks like a good approach to me, because it avoids querying the
RPM database while doing an RPM build.
Thanks,
Kai
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3248 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20060823/c8ec2f53/attachment.bin>
More information about the fedora-devel-list
mailing list