Date: Mon, 14 Jan 2008 14:57:59 -0500 From: Chuck Robey <chuckr@chuckr.org> To: Alexander Leidinger <Alexander@Leidinger.net> Cc: freebsd-ports@freebsd.org, Rudy <crapsh@monkeybrains.net> Subject: Re: HOW-TO get Flash7 working! Message-ID: <478BBEC7.6000405@chuckr.org> In-Reply-To: <20080112213747.443a4833@deskjail> References: <64c038660801040516u5c42a6cpadb475ad67fb4730@mail.gmail.com> <20080104174955.52aa33fd@gumby.homeunix.com> <64c038660801041029t1a9662bayed3ca02fd46c7ece@mail.gmail.com> <64c038660801041226k1d350bc6p727e4666ea295727@mail.gmail.com> <477FFE14.1010704@monkeybrains.net> <477FFF63.50004@gmail.com> <47801D54.8050709@gmail.com> <47803E3F.2080005@monkeybrains.net> <47804901.6090007@gmail.com> <4786BF45.8030602@monkeybrains.net> <4786CEDC.3050009@chuckr.org> <20080111170711.t6wxj1bc68cgwwk4@webmail.leidinger.net> <4787E597.9040902@chuckr.org> <20080112213747.443a4833@deskjail>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alexander Leidinger wrote: > Quoting Chuck Robey <chuckr@chuckr.org> (Fri, 11 Jan 2008 16:54:31 -0500): > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Alexander Leidinger wrote: >>> Quoting Chuck Robey <chuckr@chuckr.org> (from Thu, 10 Jan 2008 21:05:16 >>> -0500): >>> >>>> I actually got the linux flash9 working. Why didn't I post it, put in a >>>> patch? Because one of the main reasons that it doesn't work now is the >>>> insane way that much Linux libraries are installed. If folks would honor >>> Would you mind telling us how, so that we understand the problem? >>> >>>> hier(7) then all linux libs would go into /usr/compat/usr/lib, but >>>> instead, many linux ports (including browsers, believe me) install into >>>> $(PREFIX)/lib/libsubdir. This means every single linux app that uses >>>> linux >>>> libs hsa to be run with a shell wrapper, artificially extending the >>>> LD_LIBRARY_PATH. Since no porter of an app installing libs knows all the >>>> ports that might use their libs, random breakages are the rule of the >>>> day, >>>> to say nothing of the egregious harm to security this kind of strategy >>>> causes. It's a big reason why the flash things don't work. Want proof? >>>> Go use the linux ldd to see just how long the list of libraries is, that >>>> those extensions use, then you'll begin to see. Not all those libs are >>>> browser products, either. Have fun trying to get a wrapper to work >>>> there. >>>> >>>> I volunteered to fix this situation all myself, if only the ports >>>> management would give me written agreement that the strategy I decry >>>> is in >>>> fact bad software practice, so that I may point to that document to port >>>> authors, when I ask for permission to edit their work. Ports management >>>> hasn't seen fit to reply, or at least, I haven't seen it if they did. I >>>> don't intend to force anyone, but without having ports mangement >>>> backing, I >>>> am NOT going to have this argument with every porter, no way. I tried >>>> that >>>> once, and at least one fellow told me he thought that requiring every >>>> linux >>>> application to have it's own wrapper was the "cleaner" way to go. >>>> Huh, if >>>> that's so, then I guess I should be stopped anyhow. You think that way? >>> I think you are referring to me here. I think the important part to >>> understand my opinion to install end-user applications into PREFIX >>> instead of LINUXPREFIX (note: linux library ports _have_ to go to >>> LINUXBASE) is missing here. >> In fact, I have never been at all good at remembering names, to the point >> that I no longer even try. I haven't the faintest idea (even now) if it >> was you or not. If it pleases you, though, that's fine, assume away. I >> don't think I was insulting, I have made enough of an ass of myself in the >> past to realize the folly of being sarcastic (it always comes back to bite >> you). > > I didn't understand it as insulting. > >>> No user shall have subdirs of LINUXPREFIX in his path. This would open >>> up Pandorra's box. >> OK, need to stop you here. I don't know what that LINUXPREFIX item is. I > > It was either my mispelling of LINUXBASE, or my failed try to make a > distinction between the user chosen prefix for two different > "management domains". Chose the error you like more. ;-) Are you telling me that your statement above should replace LINUXPREFIX with LINUXBASE? OK, I will assume that in my replies below. > >> just grepped for it in /usr/ports subdirs Mk, emulators, and www (recursive >> one), and even did an apropos. I did a bit of googling and found a >> LINUXPREFIX in some Linux docs, is that the one you're referring to? >> What's it mean, how's it used? >> >> Regardless, please, could you explain why it would open up Pandora's Box? >> Maybe if I could have a better handle on what it is, I might not ask that >> question, but I can't, so I'm asking. > > If an user has the bin directories in the LINUXBASE in his path > - he may accidentally execute linux programs when FreeBSD programs > may be required > - a configure run may detect linux things and enable stuff which > is not valid for FreeBSD > - ... (I don't remember everything by heart, and I'm too lazy > currently to try to reverse engineer all of them in my brain, > but you get the big picture of the bad stuff which can happen) If the alternative is to install the executable into the common /usr/local/bin, and effect the choice of executable by adding a "linux-" to the front of any linux command, please explain to me AGAIN why making the ports all sit in a speparate linux directorty is either more complicated or makes using our PATH variable more difficult? And quit *please* your attempts to escape having to explain by saying either "I'm too lazy"or "you understand" or anything of that sort. I don't know it, I don't understand, and if that's your best defense, please quit this, because it's really becoming a pain for most of us to read. If I'm able to honestly defend my position without waffling, so can you. I do wish someone in ports management would just step up and give an authritative decision. For or against me, I would immediately stop defending my position and (if the decision was for me) begin figuring out how to begin making the requisite modifications in ports. For me, that means making private contact with ports owners, I'm not a loose cannon. I only take unilateral action in the case of having no response from ports authors OR not having an active ports author. That's all it would take, to completely end this thread (unless others really felt they needed it more, you understand). I don't like arguing all that much, I'm just of the opinion that ports is being seriously damaged here. > > All of this may be confusing, specially for newbies. And if we require > that users add some LINUXBASE directories to their PATH (which means > manual activity to be able to run a program, where the current approach > doesn't need this and has not the above drawbacks) by default, even > newbies do that, and they will not be able to handle this situation and > will throw FreeBSD away. I'm talking about adding all the ordinary linux paths to our PATH. All that means is to define a LINUXPATH, or even better, to just have all of our linux ports to force this into /etc/csh.cshrc and /etc/profile, which is set to: LINUXPATH=/bin:/sbin:/usr/bin:/usr/sbin and every user have added to their path $(LINUXPATH). That's not all that difficult. The other side of the coin is the extreme improvement of the handling of libraries (and the variable LD_LIBRARY_PATH). The libs go ONLY into /usr/compat/linux/lib and /usr/compat/linux/usr/lib. The LD_LIBRARY_PATH would be a static value that could be defaulted in the linux ld.so, and the serious security problems that are added by all that manipulation of LD_LIBRARY_PATH are avoided. > >> One item that some might not know: most unixes have a strong bias towards >> installing everything into /usr/bin or /usr/lib. Many Linux boxes don't >> even have a /usr/local, or opt, or whatever. Much Linux software makes the >> assumption that it's using a prefix of /usr. I hate this myself, I MUCH >> more like FreeBSD's way of doing things, but I can have my cake and eat it >> too, if Linux software is installed into /compat/linux/usr/bin (and lib, >> etc), I get the separation as far as FreeBSD is concerned, but Linux >> software is fooled into obeying their abhorrent lack of separation. Real nice. >> >> [Man, your mail is huge, I would have preferred to make it decide things in >> smaller bits, but I guess not.] Continuing ... >> >>> A clean way to achieve this is to have something in prefix which calls >>> the linux program. This can be a symlink or a wrapper in PREFIX. If you >>> install parts of a port into LINUXPREFIX and a link/wrapper in PREFIX >>> (or more generic: if you have 2 different prefixes in a port), you have >>> to do some ports-magic. If you install the port in a sub-directory in >>> PREFIX and add a wrapper in the PREFIX/bin, you don't have to do >>> ports-magic. >> OK. Ab initio, I have always felt that using wrappers was a tacky way to >> do things. Not that it wasn't sometimes the only available way to go, but > > It would be nice to do it without the wrapper, but as I already said, > the current situation looks to me as the most pragmatic one. And as the > linuxulator in the kernel is a wrapper of some kind itself, I prefer to > not say bad things about wrappers... ;) > >> certainly to be avoided. I also have always felt that screwing with >> LD_LIBRARY_PATH, as your wrappers would need to do, is a security problem, > > I fail to see how it is a security problem, when the wrapper sets > LD_LIBRARY_PATH. It's widely discussed on security lists elsewhere, but I can tell you its because one can very easily insert code into anything run by a root user, if one's dynamic libraries can be modified. I am fairly sure that adding 50 more lines here discussing why adding extra LD_LIBRARY_PATHs is getting too far off the real topic. I am not going to use your tactic of "it's obvious" or "I'm too lazy" though, I did just give you the basic understanding. OK, good point to make a summation: you have above admitted that both my assertions of using wrappers, all managing all the extra library dearch paths, is a bad thing. I have above told you that you need to be better in defending your problems with having a separate linux binary path, that your use of "it's obvious" is tantamoun to admitting you can't defend it, so you're hoping you can dance around it. My thesis is included at the top of this mail. I need, however, to get ports management to comment here. I have already mailed them directly, but have gotten no response. More people, I think, need to ask their ports management to wake up, and to deliver a ruling here. I will accept either a "you're right" or "you're wrong", but not being ignored. And just getting you, Alex, to agree/disagree, well, I only used you as an excuse to give my thesis to the ports list. To either shut me up, or let me loose to begin the corrections, I need some response from authority. To ports-management: I won't give you some embarrassing argument, either. I just need a ruling. Others might possibly argue here, I can't promise you that there won't be any disagreement, but I will politely abide by any official ruling. You'll get no argument from me, at least. You can set it yourself and give the application some > "wrong" stuff, but if we assume the wrapper in the port is not a trojan > horse but sets the LD_LIBRARY_PATH correctly, then it should be fine. > Depending on the concrete situation I may agree upon the security > problem point of view, but for this I need to know the concrete > situation. > >> which again might sometimes be the best way to go, but not ever the first >> choice. This is only part of my argument, though (I would be embarrassed >> if my argument was only based upon my prejudices). >> >> The larger real problem is, some ports install libs, and do not know what >> possible executables might need to have their wrappers adjusted. Also, >> some items are difficult to use any wrappers on at all. As an example, the >> flash9 plugin needed a linux lib, libdl.so (I think it was .so.2). If I >> wanted to be complete, it really needed about twenty different libraries, >> but libdl.so will serve as an example well enough). It had been installed >> in some subdir of /usr/local/lib. I couldn't get a wrapper to work in > > As Boris already commented, it seems some other port is interfering > here, or something is broken on your end. Please use pkg_which to > investigate which port installed it there, so that we can have a look > at this port. > >> that case, and I wasn't going to bork up my linux LD_LIBRARY_PATH with >> about half a dozen locations (which do change occaisonally). Trying to do >> all the work of maintaining that wrapper would have made the task nearly >> impossible, so I decided to just copy libs to >> /usr/compat/usr/linux/usr/lib, and it was immediately recognized. I went >> about doing an linux ldd on the plugin, then moving libs and making sure >> with the linux ldd that the plugin was happy once I'd moved the libs. >> There were one or two that needed to be in a subdir of the browser dir >> itself, but mostly, putting it in the compat path worked, and once I was >> finished, flash9 just worked ok. > > It needs careful investigation which ports install those libs there and > why. Maybe something is wrong, maybe not. It would help if you list the > libs which you think are installed incorrectly together with the ports > which installed them. We can have a look at them then and decide how > the situation can be improved. > >> Making a wrapper for the flash9, even if you could coax the browser to >> accept the plugin with a wrapper around it, would not be much of a fun >> task, and the people who put the libs in place, they don't have to help >> you, because you have told them they can put their libs any darn place they >> please. > > While it is possible to make a wrapper around dynamic libs (with the > help of /etc/libmap.conf), a solution without it is preferred. > >> Another really nice fallout from putting things into the compat structure >> is that chroots now work very nicely to make you an extremely compatible >> linux arch. Can't do that with having everything installed all over. > > Sorry to disappoint you, but the linux_base ports are not designed for > this. We rely on some fallthrough to the FreeBSD root directory for > some config files which we have at the same location than linux and are > syntactically compatible. > > If you want a linux base system to chroot into, you should install one > of the linux_dist ports. > >> If you could please, in answering this email, explain your "Pandora's Box" >> comment, and also explain why installing hard to maintain wrappers is >> better than the way that Linux itself does it, I'd appreciate that. I > > Linux can do it without wrappers, as it hasn't to emulate a foreign > API. As we have to do this, we sometimes have to use wrappers. > >> can't see why, and tossing it off with a tagline like "opening Pandora's >> Box" is cheating, although I can see, can understand why you did it, >> explaining this long argument is tedious, I grant you that. Still, you >> opened the box ... > > If you have some more questions, just ask. > > Bye, > Alexander. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHi77Hz62J6PPcoOkRAop3AJ4pjyyx4g90Mie0R+fVzjfL45cUMwCdHRzq pn5oyQBhTmmDUYL+G9WwWwg= =KMAQ -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?478BBEC7.6000405>