openindiana: xxhash package missing, openssl not found via pkg-config

[ThomasWaldmann]

master branch:

Needs (because openssl is not found via pkg-config):

export BORG_OPENSSL_PREFIX=/usr/openssl/1.1

Also, the borgbackup build fails, because it can not find xxhash.h, because there is no (lib)xxh(ash) package available for OI.

[ThomasWaldmann]

As I removed the bundled 3rd party code from borg 1.4-maint branch, the xxhash issue will also apply to borg 1.4 release (soon!).

Openindiana packagers:

Please package xxhash and make sure pkg-config works for xxhash and openssl.

[Toasterson]

Alright. I got a beta package produced quite easily. Libxxhash is now in review to be integrated at https://github.com/OpenIndiana/oi-userland/pull/16459 and should soon (a day or so) land

The pkgconfig variables are actually being resolved, however we are using a IPS feature people from other operating-system do not know to separate all out openssl versions, called mediators. Before you can build you have to run pfexec pkg set-mediator -V 3.1 openssl after that pkgconfig finds a compatible openssl.

Since I do not know how to produce a viable release tarball I had to hack the borgbackup package a bit. Once a release is published we can update the package. See https://github.com/Toasterson/oi-userland/tree/borgbackup/140beta2 for reference.

[ThomasWaldmann]

@Toasterson Thanks for working on this and also for the set-mediator hint, I really didn't know about that (but borg has a workaround via an env var for cases when pkg-config doesn't work, so I used that).

I'll update the vagrant box I use soon, so maybe borg 1.4.0b2 can get the usual platform testing I do with that before it gets released.

[ThomasWaldmann]

@Toasterson I left some comments there: https://github.com/Toasterson/oi-userland/commit/f3b5ad4b1ff5448a3d93512899742dcbe4603f76

[ThomasWaldmann]

@Toasterson Is that your OI box?:

https://app.vagrantup.com/openindiana/boxes/hipster

[Toasterson]

Yes, and the OpenIndiana Official one :) I am currently updating it, the only thing it will need is an update and reboot for the new Boot environment to become active.

[ThomasWaldmann]

xxhash landed in hipster:

http://pkg.openindiana.org/hipster/info/0/library%2Flibxxhash%400.8.2%2C5.11-2024.0.0.1%3A20240312T202057Z

Now only the vagrant box update is missing. ;-)

[Toasterson]

They where published quite some time ago :) And I rebuilt the vagrant box again. So that works now aswell.

[ThomasWaldmann]

So you still need to upload it there, right?

https://app.vagrantup.com/openindiana/boxes/hipster

[Toasterson]

Yes, but it's a bit wonky. I found the one I made two weeks ago. And there were very old versions I thought I deleted. I cleaned it up, should help already. The new one should be visible soon. The Twoo weeks old one works aswell :)

[ThomasWaldmann]

OK, now there is v202403 released 15d ago (this was not visible to me when I looked a few hours ago).

So, what is the version number of the latest version?

[ThomasWaldmann]

Uhoh, that's the backdoored xz version:

http://pkg.openindiana.org/hipster/info/0/compress%2Fxz%405.6.1%2C5.11-2024.0.0.0%3A20240311T222914Z

https://www.cve.org/CVERecord?id=CVE-2024-3094

[Toasterson]

OK, now there is v202403 released 15d ago (this was not visible to me when I looked a few hours ago).

Yep it was hidden beneath Versions that I thought I deleted. This is the latest version yes. The run today will have updated this version.

Uhoh, that's the backdoored xz version:

No, fortunately, the vuln didn't make it into the built binary. Looks like our OS was too exotic.

[ThomasWaldmann]

BTW, I tested borg 1.2.8 on openindiana (using your box and libxxhash, thanks!), it worked.

[ThomasWaldmann]

Remaining TODO: set-mediator

[dertuxmalwieder]

FWIW, xxhash from the Solaris fork of pkgsrc works just well -> https://github.com/TritonDataCenter/pkgsrc