Thread: [Aide-devel] Patch set adding new features
Brought to you by:
hvhaugwitz,
rvdb
From: Steve G. <sg...@re...> - 2006-10-17 12:52:53
|
Hi, I am going to send a series of patches today that adds new features and fixes bugs and cleans up code for higher performance. The patches are to be applied sequentially and sometimes fix problems in previous patches. We have tested the resulting binaries on FC6 Linux. Thanks, -Steve Grubb Security Standards Team |
From: Richard v. d. B. <ri...@vd...> - 2006-10-27 20:50:42
|
Steve Grubb wrote: > I am going to send a series of patches today that adds new features and fixes > bugs and cleans up code for higher performance. The patches are to be applied > sequentially and sometimes fix problems in previous patches. We have tested > the resulting binaries on FC6 Linux. Many thanks for the patches. They have all been committed to CVS. I'll need to do some portability and regression tests before I can start releasing aide 0.13 so others will also benefit from the changes you made. Sincerely, Richard van den Berg |
From: Marc H. <mh+...@zu...> - 2006-10-28 11:20:04
|
On Fri, Oct 27, 2006 at 10:50:19PM +0200, Richard van den Berg wrote: > Steve Grubb wrote: > > I am going to send a series of patches today that adds new features and fixes > > bugs and cleans up code for higher performance. The patches are to be applied > > sequentially and sometimes fix problems in previous patches. We have tested > > the resulting binaries on FC6 Linux. > > Many thanks for the patches. They have all been committed to CVS. I'll > need to do some portability and regression tests before I can start > releasing aide 0.13 so others will also benefit from the changes you made. These are exciting changes. I will build, test and upload a CVS snapshot package to Debian experimental later today. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 |
From: Steve G. <sg...@re...> - 2006-10-28 13:36:49
|
On Friday 27 October 2006 16:50, Richard van den Berg wrote: > Many thanks for the patches. They have all been committed to CVS. That's good news. I think we can help with a little more performance work after 0.13. I don't want to see too many changes in a release in case a regression gets introduced. > I'll need to do some portability and regression tests before I can start > releasing aide 0.13 so others will also benefit from the changes you made. We did find one more memory leak...in the new acl code. I'll send a patch for that separately. In case anyone wants to know how we are building, we use these: Buildrequires: libattr-devel libacl-devel libselinux-devel Buildrequires: audit-libs-devel >= 1.2.8-2 %configure --with-config_file=%{_sysconfdir}/aide.conf \ --with-zlib --disable-static \ --with-selinux --with-posix-acl --with-audit mhash-devel is not installed in the build root. Hope this helps... -Steve |
From: Michael S. <msc...@gm...> - 2006-10-29 21:31:39
|
On 27/10/06, Richard van den Berg wrote: > Steve Grubb wrote: > > I am going to send a series of patches today that adds new features and fixes > > bugs and cleans up code for higher performance. The patches are to be applied > > sequentially and sometimes fix problems in previous patches. We have tested > > the resulting binaries on FC6 Linux. > > Many thanks for the patches. They have all been committed to CVS. I'll > need to do some portability and regression tests before I can start > releasing aide 0.13 so others will also benefit from the changes you made. Your added pkg-config check for libselinux.pc doesn't work here (Fedora Core) since there is no such pkg-config file for libselinux. |
From: Richard v. d. B. <ri...@vd...> - 2006-10-30 08:17:33
|
Michael Schwendt wrote: > Your added pkg-config check for libselinux.pc doesn't work here > (Fedora Core) since there is no such pkg-config file for libselinux. Sigh, I was afraid that might happen. I choose for the pkg-config approach because on debian, selinux needs the -pthread linking flag. I don't know how to detect this without pkg-config. I've added a fall back to -lselinux when pkg-config does not return anything. Can you see if that works for you? Sincerely, Richard van den Berg |
From: Michael S. <msc...@gm...> - 2006-10-30 21:00:10
Attachments:
configure.in.diff
|
On 30/10/06, Richard van den Berg wrote: > Michael Schwendt wrote: > > Your added pkg-config check for libselinux.pc doesn't work here > > (Fedora Core) since there is no such pkg-config file for libselinux. > > Sigh, I was afraid that might happen. I choose for the pkg-config > approach because on debian, selinux needs the -pthread linking flag. I > don't know how to detect this without pkg-config. I've added a fall back > to -lselinux when pkg-config does not return anything. Can you see if > that works for you? It prints the ugly pkg-config error message like this: | checking for selinux-support... Package libselinux was not found in the pkg-config search path. | Perhaps you should add the directory containing `libselinux.pc' | to the PKG_CONFIG_PATH environment variable | No package 'libselinux' found | yes Find attached a patch that makes it cleaner. I've noticed you started adding "-lstatic" in many places. This leads to problems in environments where static libraries are not available by default due to security concerns and where shared linking is preferred. Better use $LD_STATIC_FLAG, so at least the --disable-static switch is respected. |
From: Richard v. d. B. <ri...@vd...> - 2006-10-30 21:29:54
|
Michael Schwendt wrote: > It prints the ugly pkg-config error message like this: [snip] > Find attached a patch that makes it cleaner. Thanks for the patch. I knew it could be done better, just didn't know how. :-) > I've noticed you started adding "-lstatic" in many places. Where exactly? I use --static as an argument to pkg-config in order to get it to display private libs. Since pkg-config is only used for --with-selinux that should not be a problem because static linking is fully supported on Linux. And even if --disable-static is used, linking dynamically against the private libs should not hurt. Sincerely, Richard van den Berg |
From: Michael S. <msc...@gm...> - 2006-10-30 23:10:03
|
On 30/10/06, Richard van den Berg wrote: > > > I've noticed you started adding "-lstatic" in many places. > > Where exactly? False alarm by "grep". > Since pkg-config is only used for > --with-selinux that should not be a problem because static linking is > fully supported on Linux. Still, some distributions work towards eliminating all static libraries, so wherever possible it is linked dynamically, and then static libraries cannot even be linked accidentally just because they are available. |
From: Marc H. <mh+...@zu...> - 2006-11-09 12:16:05
|
On Sat, Oct 28, 2006 at 01:19:52PM +0200, Marc Haber wrote: > On Fri, Oct 27, 2006 at 10:50:19PM +0200, Richard van den Berg wrote: > > Steve Grubb wrote: > > > I am going to send a series of patches today that adds new features and fixes > > > bugs and cleans up code for higher performance. The patches are to be applied > > > sequentially and sometimes fix problems in previous patches. We have tested > > > the resulting binaries on FC6 Linux. > > > > Many thanks for the patches. They have all been committed to CVS. I'll > > need to do some portability and regression tests before I can start > > releasing aide 0.13 so others will also benefit from the changes you made. > > These are exciting changes. I will build, test and upload a CVS > snapshot package to Debian experimental later today. That version has been in Debian experimental for ten days now, and I have not received any issue reports, and I am using it without problems on my personal test systems. What's the road map to aide 0.13? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 |
From: Richard v. d. B. <ri...@vd...> - 2006-11-10 15:57:07
|
Marc Haber wrote: > What's the road map to aide 0.13? We need do testing on platforms other than Linux. Anyone here that wants to give the latest cvs snapshot a try? A lot of code has been donated by Redhat, so we need to make sure they did not break compatibility on other platforms. Also, I want mhash to be configurable with --without-mhash from configure. After that, we're good to go for aide 0.13-rc1. Sincerely, Richard van den Berg |
From: Marc H. <mh+...@zu...> - 2006-11-24 10:11:00
|
On Fri, Nov 10, 2006 at 04:56:51PM +0100, Richard van den Berg wrote: > Marc Haber wrote: > > What's the road map to aide 0.13? > > We need do testing on platforms other than Linux. Anyone here that wants > to give the latest cvs snapshot a try? A lot of code has been donated by > Redhat, so we need to make sure they did not break compatibility on > other platforms. Looks like there are either no bugs, or no interest. > Also, I want mhash to be configurable with --without-mhash from > configure. What's the status about that? > After that, we're good to go for aide 0.13-rc1. I would like to try to get 0.13 in Debian etch, which would need a fast release (and it is not guaranteed that I would be granted a soft freeze exception). Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 |
From: Richard v. d. B. <ri...@vd...> - 2006-11-24 10:48:47
|
Marc Haber wrote: > Looks like there are either no bugs, or no interest. I think no reports means no interest. Too bad I replaced my SPARC Solaris server with an AMD64 Debian box. I'll see if I can use the compile farm at sourceforge. > I would like to try to get 0.13 in Debian etch, which would need a > fast release (and it is not guaranteed that I would be granted a soft > freeze exception). I'll try to get 0.13-rc1 out today. If you don't find anything wrong with it, we'll quickly release 0.13. Sincerely, Richard van den Berg |
From: Marc H. <mh+...@zu...> - 2006-11-24 11:05:23
|
On Fri, Nov 24, 2006 at 11:48:38AM +0100, Richard van den Berg wrote: > Marc Haber wrote: > > I would like to try to get 0.13 in Debian etch, which would need a > > fast release (and it is not guaranteed that I would be granted a soft > > freeze exception). > > I'll try to get 0.13-rc1 out today. If you don't find anything wrong > with it, we'll quickly release 0.13. Great, thanks! I'm having, however, some difficulties with yesterday's snapshot compiling on Debian sarge: if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -static -g -O2 -static -g -O2 -static -MT error.o -MD -MP -MF ".deps/error.Tpo" \ -c -o error.o `test -f 'error.c' || echo './'`error.c; \ then mv -f ".deps/error.Tpo" ".deps/error.Po"; \ else rm -f ".deps/error.Tpo"; exit 1; \ fi In file included from error.c:38: ../include/util.h:41: error: syntax error before "__extension__" I have pasted a full build log on http://paste.debian.net/17182 I suspect that some library is too old. What can I do to help finding this? I am by no means an expert in C development. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 |
From: Richard v. d. B. <ri...@vd...> - 2006-11-24 12:21:49
|
Marc Haber wrote: > In file included from error.c:38: > ../include/util.h:41: error: syntax error before "__extension__" That seems to be about these lines of code: #ifndef HAVE_STPCPY char * stpcpy (char*,const char* ); #endif Just remove them, since stpcpy() is not defined in util.c at all. Let me know how that goes. Sincerely, Richard van den Berg |
From: Marc H. <mh+...@zu...> - 2006-11-24 13:12:35
|
On Fri, Nov 24, 2006 at 01:21:38PM +0100, Richard van den Berg wrote: > Marc Haber wrote: > > In file included from error.c:38: > > ../include/util.h:41: error: syntax error before "__extension__" > > That seems to be about these lines of code: > > #ifndef HAVE_STPCPY > char * stpcpy (char*,const char* ); > #endif > > Just remove them, since stpcpy() is not defined in util.c at all. Let me > know how that goes. Builds fine, and runs fine in the test environment. Looks like we have lost compatibility to mhash 0.9.1 in the past months; building with libmhash 0.9.1 fails: if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -static -g -O2 -static -g -O2 -static -MT md.o -MD -MP -MF ".deps/md.Tpo" \ -c -o md.o `test -f 'md.c' || echo './'`md.c; \ then mv -f ".deps/md.Tpo" ".deps/md.Po"; \ else rm -f ".deps/md.Tpo"; exit 1; \ fi In file included from md.c:23: ../include/md.h:125: error: `MHASH_WHIRLPOOL' undeclared here (not in a function) md.c: In function `hash_mhash2attr': md.c:102: error: `MHASH_WHIRLPOOL' undeclared (first use in this function) md.c:102: error: (Each undeclared identifier is reported only once md.c:102: error: for each function it appears in.) md.c: In function `init_md': md.c:136: error: `MHASH_WHIRLPOOL' undeclared (first use in this function) md.c: In function `update_md': md.c:178: error: `MHASH_WHIRLPOOL' undeclared (first use in this function) md.c: In function `close_md': md.c:202: error: `MHASH_WHIRLPOOL' undeclared (first use in this function) make[3]: *** [md.o] Error 1 I have backported libmhash 0.9.7 from Debian sid to Debian sarge and aide builds fine with that. The versioned dependency should be documented with aide. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 |
From: Richard v. d. B. <ri...@vd...> - 2006-11-24 13:26:07
|
Marc Haber wrote: > Builds fine, and runs fine in the test environment. Good. I've removed the lines from util.h in CVS as well. > Looks like we have lost compatibility to mhash 0.9.1 in the past > months; building with libmhash 0.9.1 fails: Yeah, it looks like MHASH_WHIRLPOOL is a new hash that was added by the Redhat patches. I'll stick a note about it somewhere. Sincerely, Richard van den Berg |
From: Marc H. <mh+...@zu...> - 2006-11-24 13:38:12
|
On Fri, Nov 24, 2006 at 02:25:58PM +0100, Richard van den Berg wrote: > Marc Haber wrote: > > Looks like we have lost compatibility to mhash 0.9.1 in the past > > months; building with libmhash 0.9.1 fails: > > Yeah, it looks like MHASH_WHIRLPOOL is a new hash that was added by the > Redhat patches. I'll stick a note about it somewhere. And in the user docs, please, because whirlpool is a new hash that needs to be activated in the config to have it actually used. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 |
From: Richard v. d. B. <ri...@vd...> - 2006-11-24 14:50:26
|
Marc Haber wrote: > And in the user docs, please, because whirlpool is a new hash that > needs to be activated in the config to have it actually used. I was just adding that part now. :-) Sincerely, Richard van den Berg |
From: Michael S. <msc...@gm...> - 2006-11-25 11:04:37
|
On 24/11/06, Richard van den Berg wrote: > Marc Haber wrote: > > > Looks like we have lost compatibility to mhash 0.9.1 in the past > > months; building with libmhash 0.9.1 fails: > > Yeah, it looks like MHASH_WHIRLPOOL is a new hash that was added by the > Redhat patches. I'll stick a note about it somewhere. This requires mhash >= 0.9.2, which is the first version which defines it. In Fedora Extras we've not upgraded beyond 0.9.2, because there have been plenty of problem reports for subsequent releases like 0.9.3 and 0.9.4, particularly on non-i386 platforms. Further, more recent versions of mhash introduce the new "mutils" API which shall be shared with mcrypt and lead to several problems, too. Maybe it's time to upgrade to mhash 0.9.7.1 and find out what breakage is left. |
From: Michael S. <msc...@gm...> - 2006-11-25 12:18:03
|
mhash 0.9.7.1 is particularly trouble-some, since it includes GNU Autoheader definitions in its public API. These constants like VERSION, PACKAGE, PACKAGE_NAME, PACKAGE_VERSION, but also many HAVE_FOO values conflict with other programs which use autoheaders. There is an open bug report about a conflict with AIDE and Steghide. |
From: Richard v. d. B. <ri...@vd...> - 2006-11-25 12:41:31
|
Michael Schwendt wrote: > mhash 0.9.7.1 is particularly trouble-some, since it includes GNU > Autoheader definitions in its public API. These constants like > VERSION, PACKAGE, PACKAGE_NAME, PACKAGE_VERSION, but also many > HAVE_FOO values conflict with other programs which use autoheaders. > There is an open bug report about a conflict with AIDE and Steghide. Yeah, that's quite annoying. Aide should work around it though, despite many warnings. Sincerely, Richard van den Berg |