Andrea (in CC) recently pointed me to libtiff installation warnings on Fedora/RISCV side:
[..] Installing : libtiff-4.6.0-2.fc40.riscv64 5/5 Running scriptlet: libtiff-4.6.0-2.fc40.riscv64 5/5 /usr/sbin/ldconfig: /lib64/lp64d/libtiffxx.so.5 is not a symbolic link
/usr/sbin/ldconfig: /lib64/lp64d/libtiff.so.5 is not a symbolic link [..]
7 months ago libtiff was updated to 4.5.0 [0] with a bunch of CVEs listed in commit.
This added:
[..] # Copy old soname %{_libdir}/libtiff.so.5 # Copy old soname %{_libdir}/libtiffxx.so.5 cp %{_libdir}/libtiff.so.5* $RPM_BUILD_ROOT%{_libdir} cp %{_libdir}/libtiffxx.so.5* $RPM_BUILD_ROOT%{_libdir} [..]
I assume this was added instead of doing a proper compat package before SOVERSION bump, or maybe one-time-thing for a side tag while everything gets rebuilt for a new libtiff.
This is from Fedora Rawhide (today) after installing libtiff-0:4.6.0-2.fc40.x86_64 (via DNF).
# readelf -p .note.package /usr/lib64/libtiff.so.5
String dump of section '.note.package': [ 4] | [ 8] ~^Z�DO [ 10] {"type":"rpm","name":"libtiff","version":"4.4.0-8.fc40","architecture":"x86_64","osCpe":"cpe:/o:fedoraproject:fedora:39"}
This seems to come from 4.4.0-8.fc40. Random check suggests there are a bunch of CVEs with "LibTIFF 4.4.0" string.
The old "*.so.5*" should be removed from this package, as we keep carrying them over to the next build.
david - - - [0] https://src.fedoraproject.org/rpms/libtiff/c/cfa398260d7055fd80951b4c73d9b85...
yeah, I've seen this pattern before, but it's not a great way to do things. ;(
Probibly filing a bug is a good idea.
It looks like there's only 2 packages using the old soname.
kevin
On Wed, May 29, 2024 at 02:56:01PM GMT, Kevin Fenzi wrote:
yeah, I've seen this pattern before, but it's not a great way to do things. ;(
Probibly filing a bug is a good idea.
It looks like there's only 2 packages using the old soname.
David, have you had a chance to file the bug? We wouldn't want this to slip through the cracks.
Thanks!
On Mon, Jun 10, 2024 at 5:53 PM Andrea Bolognani abologna@redhat.com wrote:
On Wed, May 29, 2024 at 02:56:01PM GMT, Kevin Fenzi wrote:
yeah, I've seen this pattern before, but it's not a great way to do things. ;(
Probibly filing a bug is a good idea.
It looks like there's only 2 packages using the old soname.
David, have you had a chance to file the bug? We wouldn't want this to slip through the cracks.
No I haven't. Feel free to file one if you have free cycles.
Thanks!
Thanks!
-- Andrea Bolognani / Red Hat / Virtualization -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Wed, Jun 12, 2024 at 04:58:57PM GMT, David Abdurachmanov wrote:
On Mon, Jun 10, 2024 at 5:53 PM Andrea Bolognani abologna@redhat.com wrote:
On Wed, May 29, 2024 at 02:56:01PM GMT, Kevin Fenzi wrote:
yeah, I've seen this pattern before, but it's not a great way to do things. ;(
Probibly filing a bug is a good idea.
It looks like there's only 2 packages using the old soname.
David, have you had a chance to file the bug? We wouldn't want this to slip through the cracks.
No I haven't. Feel free to file one if you have free cycles.
Done: https://bugzilla.redhat.com/show_bug.cgi?id=2292047