comio
commented
4 years ago Hi @xartin
I just update fixing some QA issue. Regarding the fix-gnustack. Can we remove the _remove_execstack_markings() call and the dependency from fix-gnustack?
ciao
luigi
Closed xartin closed 4 years ago
comio
commented
4 years ago Hi @xartin
I just update fixing some QA issue. Regarding the fix-gnustack. Can we remove the _remove_execstack_markings() call and the dependency from fix-gnustack?
ciao
luigi
xartin
commented
4 years ago The execstak marking code may still be useful for some hardened users and perhaps could be commented and the one library listed removed but make whichever decision you feel best.
In this case the file listed for fix-gnustack to modify no longer exists in plex server release tarballs but it's perhaps plausible another newer file plex added to the newer releases may benefit from the ebuild code to accomplish the same task for hardened gentoo users. This in mind not removing that code entirely from the ebuild could be adequate.
I'm not aware of how to check if any newer libraries would require execstack marking with fix-gnustack but if i was going to inquire how to accomplish checking that inquiring on freenode in #gentoo-hardened or messaging blueness could reveal very beneficial tips.
Regarding fixing the QA dependency issues i'm not certain what would be the best approach. Gentoo dev's have been making some changes recently and updating TONS of outdated ebuilds and that GLEP QA check on the offficlal plex server ebuilds is related to those efforts. I'm not immediately clear on the specific changes they have planned.
Cheers,
Michael
ps Italy is lovely place. i spent a week in October cycling the coast of Ligura from Savona to Rapallo :)
Ciao!
comio
commented
4 years ago Hi @xartin,
I modified the ebuild a couple of weeks ago. Is it working for you and can I close the issue?
xartin
commented
4 years ago Hi there.
I checked the ebuild and the fix appears to be working while still accommodating the code block stiill being available or useful for hardened systems if its necessary.
I agree this specific issue is indeed fixed. cheers and thanks :)
I've discovered a possibly easy fix for an error caused by the plex-media-server ebuilds i wanted to relay as these ebuilds being maintained more frequently than the official tree is very appreciated and if some of the minor consistency concerns are fixed it's plausible mgorny or another proxy maintainer dev might consider merging these ebuilds as official ebuild updates via pull request to gentoo's git repo.
The stated EXECSTACK_BINS variable is triggering fix-gnustack to throw an fopen_fail() error when the ebuild runs
_remove_execstack_markings()This is caused by
/usr/lib/plexmediaserver/libgnsdk_dsp.so*no longer existing in the unpacked source tarballs for plex-media-serverSecondary to this but perhaps more important there's a DEPEND QA ebuild inconsistency reported by repoman related to avahi being an invalid dependency
I'm using default/linux/amd64/17.1/desktop/plasma/systemd profile
There's a few QA issues reported for the portage ebuilds by mgorny in the official tree for the plex-media-server ebuilds that may be related to these repoman QA issues.
https://bugs.gentoo.org/694828
Again thanks and if i'm able to help without tripping over your efforts i'm keen to offer some feedback or testing. I maintain another personal repo for Sonarr Radarr and Lidarr on my github page.
Cheers,
xartin / ali3nx