Hi Daniel! Thanks for your report. I take an interest in OpenLDAP's Debian package and did some research, mainly for the sake of the more regular maintainers and helpers.
> The fact that openldap aborts on an assert implies that the Debian build is a > debug one and not a release build, which seems wrong. > The error is thus that Debian ships a debug build of OpenLDAP that gets used > in production by curl (and others). Yes, this does look weird. The Debian package specifies arguments to the configure script at https://salsa.debian.org/openldap-team/openldap/-/blob/master/debian/configure.options#L67 and there we do pass --enable-debug explicitly. This is just a coincidence and it's not actually the culprit though, because --enable-debug is OpenLDAP upstream's default, even in their release tarballs. At https://salsa.debian.org/openldap-team/openldap/-/blob/master/configure.ac#L230 the option is defined and at line 2507 the parameter is used. It appears the only scenario where the assertions aren't built in is when --disable-debug or --enable-debug=no are explicitly passed. To confirm I removed --enable-debug from Debian's invocation of configure and noticed in the build tree that the generated include/portable.h header still defines LDAP_DEBUG as 1. It appears that Debian uses the official release tarballs at https://openldap.org/software/download/OpenLDAP/openldap-release/ in making its packages (after discarding some contents and repacking it due mainly to licensing issues around documentation), and Debian's pristine-tar branch hints this was adhered to. > A library should not abort in production and the OpenLDAP library does not do > that in release builds. With all due respect, I wonder if you drew this conclusion hastily and I'm not sure it's accurate. Upstream's build/version.sh prints OL_TYPE=Release OL_STRING="OpenLDAP 2.6.10-Release" although this only examines the source tree and doesn't depend on build configuration. It's not obvious that there is an option besides an explicit --disable-debug that would accomplish just that. In conclusion, it looks like upstream's default to build assertions in and it's not obvious if downstream distributors are supposed to pass --disable-debug explicitly. Maybe advice is somewhere in their documentation, but otherwise I don't see any equivalent to, say, GCC's --enable-checking=release for example. Checking in with upstream to ensure this default is an intentional one would be a next step. In the meantime this doesn't look like an egregious misconfiguration and I expect other downstreams leave this default alone. > The assert is probably an error too (but beside the point for this issue) and > I have reported it upstream to OpenLDAP here: > https://bugs.openldap.org/show_bug.cgi?id=10370 That was fixed quickly! Thanks for reporting to them as well. > Kernel: Linux 6.12.27-amd64 (SMP w/24 CPU threads; PREEMPT) P.S. Is this your new Framework by chance? I hope your install went well 🙂
signature.asc
Description: This is a digitally signed message part
