[Bug 208810] net/samba43: way too many dependencies
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Apr 14 21:59:07 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208810
Bug ID: 208810
Summary: net/samba43: way too many dependencies
Product: Ports & Packages
Version: Latest
Hardware: amd64
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: Individual Port(s)
Assignee: timur at FreeBSD.org
Reporter: jdc at koitsu.org
Flags: maintainer-feedback?(timur at FreeBSD.org)
Assignee: timur at FreeBSD.org
WARNING: Long, because this goes into detail about the mess.
I saw this in ports/UPDATING today:
20160412:
AFFECTS: Users of net/samba42 and net/samba/43
AUTHOR: timur at FreeBSD.org
Samba 4.2.x and 4.3.x ports have been updated to address
BadLock(http://badlock.org) vulnerability, as well as few other
discovered.
Please note that Samba 4.1.x and older versions are also affected by
the issues fixed with this release but are not supported anymore. It is
strongly recommend to upgrade to a recent version at your earliest
convenience.
The security updates include new smb.conf options and a number of
stricter behaviours to prevent Man in the Middle attacks. Between these
changes, compatibility with a large number of older software versions
has been lost in the default configuration.
For more information about the related behaviour changes and the
security issues please visit:
https://www.samba.org/samba/latest_news.html#4.4.2
https://www.samba.org/samba/history/samba-4.3.8.html
https://www.samba.org/samba/history/samba-4.2.11.html
Alongside this from pkg audit (because I use net/samba36):
samba36-3.6.25_2 is vulnerable:
samba -- multiple vulnerabilities
CVE: CVE-2016-2118
CVE: CVE-2016-2115
CVE: CVE-2016-2114
CVE: CVE-2016-2113
CVE: CVE-2016-2112
CVE: CVE-2016-2111
CVE: CVE-2016-2110
CVE: CVE-2015-5370
WWW:
https://vuxml.FreeBSD.org/freebsd/a636fc26-00d9-11e6-b704-000c292e4fd8.html
In other words: I really need to upgrade to one of the net/samba4* ports.
Here are the settings I use to build samba36 from ports, because I wanted a
very minimal Samba (I do not need all the extra bloat):
net_samba36_SET+= AIO_SUPPORT
net_samba36_UNSET+= LDAP CUPS ACL_SUPPORT WINBIND POPT
With this, we end up with:
net/samba36 make all-depends-list | wc -l: 26
net/samba36 make run-depends-list | wc -l: 5
net/samba36 make build-depends-list | wc -l: 9
net/samba36 make package-depends-list | wc -l: 10
net/samba36 make test-depends-list | wc -l: 0
Now let's compare with stock settings for net/samba43:
net/samba43 make all-depends-list | wc -l: 53
net/samba43 make run-depends-list | wc -l: 18
net/samba43 make build-depends-list | wc -l: 22
net/samba43 make package-depends-list | wc -l: 35
net/samba43 make test-depends-list | wc -l: 2
And pkg install samba43:
New packages to be INSTALLED:
samba43: 4.3.3_2
libsunacl: 1.0
popt: 1.16_1
openldap-client: 2.4.44
py27-dnspython: 1.12.0
py27-setuptools27: 20.0
ldb: 1.1.24
libgcrypt: 1.6.5_1
libgpg-error: 1.21
gnutls: 3.4.10
nettle: 3.2
gmp: 5.1.3_3
libtasn1: 4.7
p11-kit: 0.23.2
trousers-tddl: 0.3.10_7
libinotify: 20150910
gamin: 0.1.10_8
glib: 2.46.2
libarchive: 3.1.2_6,1
lzo2: 2.09
My mind is blown. Surely a substantial amount of this isn't required, right?
So let's tweak some of the options in make config to try and mimic samba36 as
much as possible. Let's try these, followed by make rmconfig (just as a
precaution), and redo numbers:
net_samba43_UNSET+= ACL_SUPPORT ADS AD_DC DNSUPDATE FAM LDAP
net_samba43_UNSET+= QUOTAS SYSLOG UTMP
Afterwards:
net/samba43 make all-depends-list | wc -l: 50
net/samba43 make run-depends-list | wc -l: 16
net/samba43 make build-depends-list | wc -l: 20
net/samba43 make package-depends-list | wc -l: 31
net/samba43 make test-depends-list | wc -l: 2
This is very disheartening.
I see stuff like GNUTLS, GPG, SASL v2, popt, and a whole ton of other things
which are probably "trickling dependencies" from some other port but I can't
tell which/what (I'd need to track it down one by one -- I really wish the
X-depends-list targets had a way to print a more "tree-like" structure").
The question then became: is all this garbage really needed? The answer
appears to be ***NO***.
I pulled down the samba43 source code myself and configured/compiled it with a
set of very minimal flags (I can provide those if you need), and I was able to
build it and get it running on my system which includes basically none of the
above "excessive" libraries). The libraries on my system:
apache24-2.4.20 Version 2.4.x of Apache web server
apr-1.5.2.1.5.4 Apache Portability Library
autoconf-wrapper-20131203 Wrapper script for GNU autoconf
bash-4.3.42_1 The GNU Project's Bourne Again SHell
bonnie++-1.97_3 Performance Test of Filesystem I/O
bsdhwmon-20151206 Hardware sensor monitoring utility for FreeBSD
ca_root_nss-3.22.2 Root certificate bundle from the Mozilla Project
curl-7.48.0_2 Non-interactive tool to get files from FTP,
GOPHER, HTTP(S) servers
cvsps-2.1_1 Create patchset information from CVS
cyrus-sasl-2.1.26_12 RFC 2222 SASL (Simple Authentication and
Security Layer)
db5-5.3.28_3 The Oracle Berkeley DB, revision 5.3
ddrescue-1.18.1 Data recovery tool
dialog4ports-0.1.5_2 Console Interface to configure ports
epic4-2.10.5_2 The (E)nhanced (P)rogrammable (I)RC-II (C)lient
expat-2.1.0_3 XML 1.0 parser written in C
fetchmail-6.3.26_2 Batch mail retrieval utility for
IMAP/POP3/ETRN/ODMR
gdbm-1.11_2 GNU database manager
gettext-runtime-0.19.7 GNU gettext runtime libraries and programs
gettext-tools-0.19.7 GNU gettext development and translation tools
git-2.8.1 Distributed source code management tool
gmake-4.1_2 GNU version of 'make' utility
gmake-lite-4.1_1 Minimalist version of gnu make
help2man-1.43.3_1 Automatically generating simple manual pages
from program output
icu-55.1 International Components for Unicode (from IBM)
indexinfo-0.2.4 Utility to regenerate the GNU info page index
libexecinfo-1.1_3 Library for inspecting program's backtrace
libffi-3.2.1 Foreign Function Interface
libiconv-1.14_9 Character set conversion library
libidn-1.31 Internationalized Domain Names command line tool
libxml2-2.9.3 XML parser library for GNOME
lynx-2.8.8.2_3,1 Non-graphical, text-based World-Wide Web client
m4-1.4.17_1,1 GNU m4
mariadb100-client-10.0.23 Multithreaded SQL database (client)
mariadb100-server-10.0.23 Multithreaded SQL database (server)
mime-support-3.58 MIME Media Types list
mod_php70-7.0.5_1 PHP Scripting Language
mtr-nox11-0.86 Traceroute and ping in a single network
diagnostic tool
mutt-1.6.0_1 The Mongrel of Mail User Agents (development
version)
p5-Authen-NTLM-1.09_1 Perl5 NTLM authentication module
p5-Authen-SASL-2.16_1 Perl5 module for SASL authentication
p5-Digest-HMAC-1.03_1 Perl5 interface to HMAC Message-Digest
Algorithms
p5-Encode-Locale-1.05 Determine the locale encoding
p5-Error-0.17024 Error/exception handling in object-oriented
programming style
p5-File-Listing-6.04_1 Parse directory listings
p5-GSSAPI-0.28_1 Perl extension providing access to the GSSAPIv2
library
p5-HTML-Parser-3.72 Perl5 module for parsing HTML documents
p5-HTML-Tagset-3.20_1 Some useful data table in parsing HTML
p5-HTTP-Cookies-6.01_1 HTTP Cookie jars
p5-HTTP-Daemon-6.01_1 Simple HTTP server class
p5-HTTP-Date-6.02_1 Conversion routines for the HTTP protocol date
formats
p5-HTTP-Message-6.11 Representation of HTTP style messages
p5-HTTP-Negotiate-6.01_1 Implementation of the HTTP content negotiation
algorithm
p5-IO-HTML-1.001_1 Open an HTML file with automatic charset
detection
p5-IO-Socket-IP-0.37 Drop-in replacement for IO::Socket::INET
supporting IPv4 and IPv6
p5-IO-Socket-SSL-2.025 Perl5 interface to SSL sockets
p5-LWP-MediaTypes-6.02_1 Guess media type for a file or a URL
p5-Locale-gettext-1.06 Message handling functions
p5-Mozilla-CA-20160104 Perl extension for Mozilla CA cert bundle in PEM
format
p5-Net-HTTP-6.09 Low-level HTTP client
p5-Net-SMTP-SSL-1.03 SSL support for Net::SMTP
p5-Net-SSLeay-1.73 Perl5 interface to SSL
p5-Socket-2.021 Networking constants and support functions
p5-URI-1.71 Perl5 interface to Uniform Resource Identifier
(URI) references
p5-WWW-RobotRules-6.02_1 Database of robots.txt-derived permissions
p5-libwww-6.15 Perl5 library for WWW access
pcre-8.38_1 Perl Compatible Regular Expressions library
perl5-5.20.3_11 Practical Extraction and Report Language
php70-7.0.5_1 PHP Scripting Language
php70-curl-7.0.5_1 The curl shared extension for php
php70-json-7.0.5_1 The json shared extension for php
php70-mysqli-7.0.5_1 The mysqli shared extension for php
php70-opcache-7.0.5_1 The opcache shared extension for php
php70-simplexml-7.0.5_1 The simplexml shared extension for php
pkg-1.7.2 Package manager
portlint-2.16.8 Verifier for FreeBSD port directory
postfix-sasl-3.1.0,1 Secure alternative to widely-used Sendmail
procmail-3.22_8 Local mail delivery agent
python-2.7_2,2 The "meta-port" for the default version of
Python interpreter
python2-2_3 The "meta-port" for version 2 of the Python
interpreter
python27-2.7.11_1 Interpreted object-oriented programming language
rsync-3.1.2_1 Network file distribution/synchronization
utility
samba36-3.6.25_2 Free SMB and CIFS client and server for Unix
serf-1.3.8_1 Serf HTTP client library
smartmontools-6.4_2 S.M.A.R.T. disk monitoring tools
sqlite3-3.11.1 SQL database engine in a C library
subversion-1.9.3_3 Version control system
sudo-1.8.16 Allow others to run commands as root
talloc-2.1.5 Hierarchical pool based memory allocator
tcl84-8.4.20_2,1 Tool Command Language
tdb-1.3.8,1 Trivial Database
tevent-0.9.26 Talloc based event loop library
urlview-0.9.20131021 URL extractor/launcher
vim-lite-7.4.1721 Improved version of the vi editor (lite package)
wget-1.16.3_1 Retrieve files from the Net via HTTP(S) and FTP
zfs-stats-lite-1.3 Display human-readable ZFS statistics
zip-3.0_1 Create/update ZIP files compatible with PKZIP
I also found this in the Makefile:
# XXX: Unconditional dependencies which can't be switched off(if present
# in the system)
And there appear to be many in there for which this is not true.
This matter really needs some attention. I would strongly suggest creating a
net/samba43-lite shim port (see editors/vim-lite, mail/mutt-lite, and
net/mtr-nox11 for examples) that provides "basic/minimal" functionality for
those of us that want such. Please DO NOT remove AIO support though -- that is
absolutely needed at this point in time.
Now, because I know someone will say it -- "please provide patches" -- I have
actually given this a shot (honest -- and I used to be a ports committer!).
The existing Makefile is a nightmare. I can try my best at this, but it's
going to take me probably a week and a half or more because I have to
reverse-engineer all of what's there. Maybe I could speed up the work time by
simply pulling features out (deleting lines) entirely.
Honestly it looks to me like there's just a lot of neglect to "minimalism" in
this port. Yes, I'm well aware the Samba guys have a tendency to bloat things,
but I really think a lot of this hullabaloo is on the FreeBSD port side, not on
the Samba side.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list