Colin Watson's blog
source link: https://www.chiark.greenend.org.uk/~cjwatson/blog/man-db-2.8.7.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Aug 27 2019 man-db 2.8.7
I’ve released man-db 2.8.7 (announcement, NEWS), and uploaded it to Debian unstable.
There are a few things of note that I wanted to talk about here. Firstly, I
made some further improvements to the seccomp sandbox originally introduced
in 2.8.0. I do still think it’s correct to try to confine subprocesses this
way as a defence against malicious documents, but it’s also been a pretty
rough ride for some users, especially those who use various kinds of VPNs or
antivirus programs that install themselves using /etc/ld.so.preload
and
cause other programs to perform additional system calls. As well as a few
specific tweaks, a recent discussion on
LWN reminded me that it would be better
to make seccomp return EPERM
rather than raising SIGSYS
, since that’s
easier to handle gracefully: in particular, it fixes an odd corner case
related to glibc’s nscd handling.
Secondly, there was a build failure on
macOS that took a while to figure
out, not least because I don’t have a macOS test system myself. In 2.8.6 I
tried to make life easier for people on this platform with a CFLAGS
tweak,
but I made it a bit too general and accidentally took away configure’s
ability to detect undefined symbols properly, which caused very confusing
failures. More importantly, I hadn’t really thought through why this change
was necessary and whether it was a good idea. man-db uses private shared
libraries to keep its executable size down, and it passes -no-undefined
to
libtool
to declare that those shared libraries have no undefined symbols
after linking, which is necessary to build shared libraries on some
platforms. But the CFLAGS
tweak above directly contradicts this! So,
instead of playing core wars with my own build system, I did some
refactoring so that the assertion that man-db’s shared libraries have no
undefined symbols after linking is actually true: this involved moving
decompression code out of
libman
,
and arranging for the code in libmandb
to take the database path as a
parameter rather than as a global variable (something I’ve meant to fix for
ages anyway;
252d7cbc23,
036aa910ea,
a97d977b0b).
Lesson: don’t make build system changes you don’t quite understand.
Posted by Colin Watson on 2019-08-27 in man-db. Tags: man-db, planet-debian, planet-ubuntu.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK