Source: xorg-server Version: 2:21.1.15-2 Severity: wishlist Tags: patch Hi Xserver maintainers!
Please consider building the X.org xserver against nettle for its implementation of sha1. nettle is likely to already be installed on upcoming debian systems, since apt depends on sqv, which depends on libnettle. We already build xserver against libnettle statically for the udeb, so we know that it works as a sha1 backend. I've prepared a short patch series that makes xserver depend directly on nettle for the normal .deb, not just the udeb. You can find it here: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/merge_requests/15 I'm also including those changes against the debian-unstable branch in this message, but since the most complex one is a diff of debian/patches it might be easier to make sense of it on the salsa MR. I hope this is helpful! --dkg -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.12.6-amd64 (SMP w/20 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
From b39f35ef926de752001b5efaa15f9e10ef9900ef Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <d...@fifthhorseman.net> Date: Tue, 11 Feb 2025 18:53:47 -0500 Subject: [PATCH 1/3] Use statically linked nettle from upstream Upstream has merged this change, see https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1756 This should let us build the udeb cleanly, leaving the ability to build against a non-static nettle in the normal build. --- ...-enable-static-use-of-Nettle-for-SHA1.diff | 50 +++++++++++++++++++ debian/patches/03_static-nettle.diff | 19 ------- debian/patches/series | 4 +- debian/rules.flags | 2 +- 4 files changed, 52 insertions(+), 23 deletions(-) create mode 100644 debian/patches/03_autotools-enable-static-use-of-Nettle-for-SHA1.diff delete mode 100644 debian/patches/03_static-nettle.diff diff --git a/debian/patches/03_autotools-enable-static-use-of-Nettle-for-SHA1.diff b/debian/patches/03_autotools-enable-static-use-of-Nettle-for-SHA1.diff new file mode 100644 index 000000000..16029538d --- /dev/null +++ b/debian/patches/03_autotools-enable-static-use-of-Nettle-for-SHA1.diff @@ -0,0 +1,50 @@ +From: Daniel Kahn Gillmor <d...@fifthhorseman.net> +Date: Fri, 3 Jan 2025 14:41:59 -0500 +Subject: autotools: enable static use of Nettle for SHA1 + +Debian builds xserver 21 using autotools. + +When debian builds xserver-xorg for constrained environments like the +installer, it wants to build against the static library of libnettle +for SHA1, see debian/patches/03_static-nettle.diff in the debian +repository at +https://salsa.debian.org/xorg-team/xserver/xorg-server.git + +This modification of configure.ac makes it possible to build static +nettle when needed, while preserving the build to use nettle with a +dynamic library when passing a different configuration option. + +Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1756> +(cherry picked from commit a651eefc9e525072d99413c1aeabd01858c50819) +--- + configure.ac | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 7c24a74..fcdef39 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1509,7 +1509,7 @@ CORE_INCS='-I$(top_srcdir)/include -I$(top_builddir)/include' + + # SHA1 hashing + AC_ARG_WITH([sha1], +- [AS_HELP_STRING([--with-sha1=libc|libmd|libnettle|libgcrypt|libcrypto|libsha1|CommonCrypto|CryptoAPI], ++ [AS_HELP_STRING([--with-sha1=libc|libmd|libnettle|nettlestatic|libgcrypt|libcrypto|libsha1|CommonCrypto|CryptoAPI], + [choose SHA1 implementation])]) + AC_CHECK_FUNC([SHA1Init], [HAVE_SHA1_IN_LIBC=yes]) + if test "x$with_sha1" = x && test "x$HAVE_SHA1_IN_LIBC" = xyes; then +@@ -1584,6 +1584,14 @@ if test "x$with_sha1" = xlibnettle; then + [Use libnettle SHA1 functions]) + SHA1_LIBS=-lnettle + fi ++if test "x$with_sha1" = xnettlestatic && test "x$HAVE_LIBNETTLE" != xyes; then ++ AC_MSG_ERROR([nettlestatic requested but libnettle not found]) ++fi ++if test "x$with_sha1" = xnettlestatic; then ++ AC_DEFINE([HAVE_SHA1_IN_LIBNETTLE], [1], ++ [Use static libnettle SHA1 functions]) ++ SHA1_LIBS=-l:libnettle.a ++fi + AC_CHECK_LIB([gcrypt], [gcry_md_open], [HAVE_LIBGCRYPT=yes]) + if test "x$with_sha1" = x && test "x$HAVE_LIBGCRYPT" = xyes; then + with_sha1=libgcrypt diff --git a/debian/patches/03_static-nettle.diff b/debian/patches/03_static-nettle.diff deleted file mode 100644 index d6878a332..000000000 --- a/debian/patches/03_static-nettle.diff +++ /dev/null @@ -1,19 +0,0 @@ -Link against static libnettle - -There's no libnettle udeb. - ---- - configure.ac | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/configure.ac -+++ b/configure.ac -@@ -1582,7 +1582,7 @@ fi - if test "x$with_sha1" = xlibnettle; then - AC_DEFINE([HAVE_SHA1_IN_LIBNETTLE], [1], - [Use libnettle SHA1 functions]) -- SHA1_LIBS=-lnettle -+ SHA1_LIBS=-l:libnettle.a - fi - AC_CHECK_LIB([gcrypt], [gcry_md_open], [HAVE_LIBGCRYPT=yes]) - if test "x$with_sha1" = x && test "x$HAVE_LIBGCRYPT" = xyes; then diff --git a/debian/patches/series b/debian/patches/series index deb848d23..034a798f3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,7 +1,5 @@ -## Patches with a number < 100 are applied in debian. -## Ubuntu patches start with 100. 02_kbsd-input-devd.diff -03_static-nettle.diff +03_autotools-enable-static-use-of-Nettle-for-SHA1.diff 05_Revert-Unload-submodules.diff 06_use-intel-only-on-pre-gen4.diff 07_use-modesetting-driver-by-default-on-GeForce.diff diff --git a/debian/rules.flags b/debian/rules.flags index 68cdabaf0..2543ea1bc 100644 --- a/debian/rules.flags +++ b/debian/rules.flags @@ -89,7 +89,7 @@ confflags_udeb = \ --disable-xnest \ --disable-kdrive \ --disable-xephyr \ - --with-sha1=libnettle \ + --with-sha1=nettlestatic \ $(void) ifeq ($(DEB_HOST_ARCH_OS), linux) -- 2.47.2
From 292c59f73b7a0634aae3cc53b345ad4611e84250 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <d...@fifthhorseman.net> Date: Tue, 11 Feb 2025 18:58:45 -0500 Subject: [PATCH 2/3] Use nettle for sha1 The udeb build uses nettle for sha1. There's no reason we can't use nettle for the mainline build as well. This reduces one build-dependency. --- debian/control | 1 - debian/rules.flags | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/debian/control b/debian/control index 709cfca36..8b2e39977 100644 --- a/debian/control +++ b/debian/control @@ -20,7 +20,6 @@ Build-Depends: libxkbfile-dev (>= 1:0.99.1), libpixman-1-dev (>= 0.27.2), libpciaccess-dev (>= 0.12.901), - libgcrypt-dev, nettle-dev, libudev-dev (>= 151-3) [linux-any], libselinux1-dev (>= 2.0.80) [linux-any], diff --git a/debian/rules.flags b/debian/rules.flags index 2543ea1bc..034228dba 100644 --- a/debian/rules.flags +++ b/debian/rules.flags @@ -59,7 +59,7 @@ confflags_main = \ --enable-xnest \ --enable-kdrive \ --enable-xephyr \ - --with-sha1=libgcrypt \ + --with-sha1=libnettle \ --enable-xcsecurity \ $(void) -- 2.47.2
signature.asc
Description: PGP signature
