[libvirt] [PATCHv2] build: avoid -lgcrypt with newer gnutls

Eric Blake eblake at redhat.com
Mon Jul 29 15:29:39 UTC 2013 

On 07/29/2013 04:25 AM, Daniel P. Berrange wrote:
> On Fri, Jul 26, 2013 at 08:22:29PM -0500, Doug Goldstein wrote:
>> On Fri, Jul 26, 2013 at 5:04 PM, Eric Blake <eblake at redhat.com> wrote:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=951637
>>>
>>> Newer gnutls uses nettle, rather than gcrypt, which is a lot nicer
>>> regarding initialization.  Yet we were unconditionally initializing
>>> gcrypt even when gnutls wouldn't be using it, and having two crypto
>>> libraries linked into libvirt.so is pointless.
>>>
>>> Assume that the switch to gnutls 3.0 is a reliable witness, when
>>> pkg-config is present; otherwise be pessimistic and use gcrypt.
>>>

>>> https://www.redhat.com/mailman/listinfo/libvir-list
>>
>> Hate to throw a monkey wrench in the plan, but GnuTLS 3.0 isn't the
>> nettle cut over. On my stable Gentoo box with GnuTLS 2.12.23, its
>> using nettle as seen by ldd.

>>
>> It appears it was an optional cutover and I guess Gentoo made the
>> plunge. Another idea, that you might hate would be to use pkg-config
>> directly and pass --static so we can get the private libraries. I'm
>> not running Fedora 19 yet so the best I can do is give you Fedora 18
>> as a comp, but that works out great since its using 2.12.23 as well.
> 
> Hmm, so Eric's patch is mostly just an optimization, to avoid uneccessarily
> linking to libgcrypt.  If we link to libgcrypt when gnutls is using nettle
> nothing bad really happens. We just unecessarily initialize gcrypt.

So, should I try for a v3 that treats:

< 2.12 - gcrypt only
>= 3.0 - nettle only
<= 2.12 && < 3.0 - assume gcrypt unless 'pkg-config --static' proves the
use of nettle instead of gcrypt

or do we just stick with v2?  Also, is this still worth getting in
before 1.1.1, or since (as Dan pointed out) this is just an optimization
and not a correctness issue, should we wait until after the release so
we aren't rushing things?

> 
> Conversely, if we do not link to libgcrypt, when gnutls is using libgcrypt,
> then we are missing important initialization code, which *is* bad.
> 
> IOW, doing the check against version 3.0.0 or later does not cause any
> problems, since we know that libgcrypt can never be used with that version.
> 
> If we do a check against 2.12 though, we could miss out linkage against
> libgcrypt depending on how the distro built their packages.
> 
> 
> So unless we can come up with an easy & reliable way to detect use of
> nettle with 2.x versions, I'm inclined to just stick our heads in the
> sand and pretend that no 2.x version ever used nettle. Worst case we
> link to and initialize gcrypt, which is not a bad problem.

Versions less than 2.12 (such as RHEL 6) don't matter - and so far,
'pkg-config --static' appears to be reliable on all 2.12 builds whether
or not they made the switch.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130729/a208dc52/attachment-0001.sig>

More information about the libvir-list mailing list