Building Samba master on CentOS 7 (gnutls)
Andrew Bartlett
abartlet at samba.org
Wed Sep 18 23:32:36 UTC 2019
On Tue, 2019-09-03 at 14:44 +1000, Martin Schwenke wrote:
> Hi Andrew,
>
> On Tue, 03 Sep 2019 15:40:29 +1200, Andrew Bartlett
> <abartlet at samba.org> wrote:
>
> > You correctly mentioned that discussing how to get past the new GnuTLS
> > requirements on a unrelated and now closed Merge Request[1] is not
> > really helpful.
> > We do still have a mailing list, and this more 'meta' kind of issue is
> > what it is for.
> > The background is that we, in order to avoid having significant
> > duplicated cryptographic code in the SMB2 server, we chose to
> > exclusively require GnuTLS 3.5.7 or later. We will increase this
> > version in the future as and when the distribution landscape permits it
> > as it is no longer favoured to have cryptographic code 'in-house'.
>
> Sure...
>
> > The instructions for preparing a build environment on CentOS7 are here:
> > bootstrap/generated-dists/centos7/bootstrap.sh
> > https://git.samba.org/?p=samba.git;a=blob_plain;f=bootstrap/generated-dists/centos7/bootstrap.sh;hb=master
> > The key line is 'yum copr enable -y sergiomb/SambaAD' which enables a
> > user repository with compat-gnutls34-* in it. This is far from ideal,
> > it would be much better if this was in EPEL, but someone would need to
> > step up and do that.
> > However this is only half of the story, as to avoid overwriting the
> > system gnutls, the package is installed in a subdirectory.
>
> The nutty thing is that I ended up removing the original gnutls
> package anyway because dependent packages (including the devel
> package) conflicted:
>
> Transaction check error:
> file /usr/lib64/libgnutlsxx.so.28.1.0 from install of compat-gnutls34-c++-3.4.17-4.el7.x86_64 conflicts with file from package gnutls-c++-3.3.29-9.el7_6.x86_64
> file /usr/lib64/libgnutls-dane.so.0 from install of compat-gnutls34-dane-3.4.17-4.el7.x86_64 conflicts with file from package gnutls-dane-3.3.29-9.el7_6.x86_64
> file /usr/lib64/libgnutls-dane.so from install of compat-gnutls34-devel-3.4.17-4.el7.x86_64 conflicts with file from package gnutls-devel-3.3.29-9.el7_6.x86_64
> file /usr/lib64/libgnutls.so from install of compat-gnutls34-devel-3.4.17-4.el7.x86_64 conflicts with file from package gnutls-devel-3.3.29-9.el7_6.x86_64
>
> Given that gnutls.pc is in the devel package, and there's a direct
> conflict between gnutls-devel and compat-gnutls34-devel, the
> subdirectory for the gnutls.pc file is completely pointless. If only
> one devel package can be installed then it might as well be
> self-contained... :-(
Drat. That isn't ideal.
> > The build needs to first set as an environment variable
> >
> > PKG_CONFIG_PATH="/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig"
> >
> > (this is in .gitlab-ci.yml).
>
> OK, thanks! That's the missing step! Unless someone decides that the
> subdirectory is pointless and fixes the packaging, then we should
> document this with a comment in
> bootstrap/generated-dists/centos7/bootstrap.sh or a README in that
> directory.
>
> I'm happy to take advice and make it so...
We can't easily add comments like that to the bootstap.sh, but a README
might work. Only trouble is that you will need to modify
bootstrap/template.py to also exclude that new file from the sha1sum
calcuations.
Getting a better gnutls34 or later package into EPEL without the
conflicts would also be really helpful.
Sorry this didn't go as well as I had hoped and hopefully smoother
sailing with CentOS8 is on the way soon.
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list