Open MitchellCash opened 8 years ago
Yes it is a concern, I spent all of friday trying to update our gitian dependencies but succeeded in breaking the windows builds repeatedly.
Took another shot at trying to update the gitian descriptors to use a newer version of miniupnpc but I just get the following no matter what I do:
./build/net.o:net.cpp:(.text+0x7ce8): undefined reference to `__imp__upnpDiscover'
./build/net.o:net.cpp:(.text+0x7d20): undefined reference to `__imp__UPNP_GetValidIGD'
./build/net.o:net.cpp:(.text+0x7d54): undefined reference to `__imp__freeUPNPDevlist'
./build/net.o:net.cpp:(.text+0x7f00): undefined reference to `__imp__UPNP_AddPortMapping'
./build/net.o:net.cpp:(.text+0x800b): undefined reference to `__imp__UPNP_AddPortMapping'
./build/net.o:net.cpp:(.text+0x8022): undefined reference to `__imp__strupnperror'
./build/net.o:net.cpp:(.text+0x8068): undefined reference to `__imp__FreeUPNPUrls'
./build/net.o:net.cpp:(.text+0x8076): undefined reference to `__imp__strupnperror'
./build/net.o:net.cpp:(.text+0x80d3): undefined reference to `__imp__UPNP_GetExternalIPAddress'
./build/net.o:net.cpp:(.text+0x8186): undefined reference to `__imp__UPNP_DeletePortMapping'
./build/net.o:net.cpp:(.text+0x81a5): undefined reference to `__imp__freeUPNPDevlist'
./build/net.o:net.cpp:(.text+0x81b1): undefined reference to `__imp__FreeUPNPUrls'
The linux builds complete without issues, thought since you had windows builds working locally you might have some thoughts on this @mitchellcash
(4 hours)
Yeah I'm making it nowhere on this (4.75 hours)
This is without any testing but can you try adding DMINIUPNP_STATICLIB
to your DEFINES?
@mitchellcash doesn't look like that works either :( (2 hours)
Damn! So you made sure to define -DMINIUPNP_STATICLIB
instead of -DSTATICLIB
?
I was certain that would solve it lol
I added the define to the gitian descriptor during the build.
was any fix found @IngCr3at1on ?
Nope, any resolved issues were closed ;)
The miniupnpc codebase seems to contain vulnerabilities and Bitcoin seems to be moving towards removing the dependency completely.
Until they can remove the dependency completely their compromise for now is to at least disable it by default, to prevent UPnP vulnerabilities being a structural danger to the network.
Can @IngCr3at1on please comment if we should also be moving towards this and if, yes, should we prioritise this work to mitigate the risk as soon as possible.
Possible work required: