From owner-freebsd-ports-bugs@freebsd.org Thu Apr 14 21:59:07 2016 Return-Path: Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 77F4EAECB4D for ; Thu, 14 Apr 2016 21:59:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 678861C09 for ; Thu, 14 Apr 2016 21:59:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u3ELx682067980 for ; Thu, 14 Apr 2016 21:59:07 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 208810] net/samba43: way too many dependencies Date: Thu, 14 Apr 2016 21:59:06 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: jdc@koitsu.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: timur@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Apr 2016 21:59:07 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D208810 Bug ID: 208810 Summary: net/samba43: way too many dependencies Product: Ports & Packages Version: Latest Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: timur@FreeBSD.org Reporter: jdc@koitsu.org Flags: maintainer-feedback?(timur@FreeBSD.org) Assignee: timur@FreeBSD.org WARNING: Long, because this goes into detail about the mess. I saw this in ports/UPDATING today: 20160412: AFFECTS: Users of net/samba42 and net/samba/43 AUTHOR: timur@FreeBSD.org Samba 4.2.x and 4.3.x ports have been updated to address BadLock(http://badlock.org) vulnerability, as well as few other discovered. Please note that Samba 4.1.x and older versions are also affected by the issues fixed with this release but are not supported anymore. It is strongly recommend to upgrade to a recent version at your earliest convenience. The security updates include new smb.conf options and a number of stricter behaviours to prevent Man in the Middle attacks. Between these changes, compatibility with a large number of older software versions has been lost in the default configuration. For more information about the related behaviour changes and the security issues please visit: https://www.samba.org/samba/latest_news.html#4.4.2 https://www.samba.org/samba/history/samba-4.3.8.html https://www.samba.org/samba/history/samba-4.2.11.html Alongside this from pkg audit (because I use net/samba36): samba36-3.6.25_2 is vulnerable: samba -- multiple vulnerabilities CVE: CVE-2016-2118 CVE: CVE-2016-2115 CVE: CVE-2016-2114 CVE: CVE-2016-2113 CVE: CVE-2016-2112 CVE: CVE-2016-2111 CVE: CVE-2016-2110 CVE: CVE-2015-5370 WWW: https://vuxml.FreeBSD.org/freebsd/a636fc26-00d9-11e6-b704-000c292e4fd8.html In other words: I really need to upgrade to one of the net/samba4* ports. Here are the settings I use to build samba36 from ports, because I wanted a very minimal Samba (I do not need all the extra bloat): net_samba36_SET+=3D AIO_SUPPORT net_samba36_UNSET+=3D LDAP CUPS ACL_SUPPORT WINBIND POPT With this, we end up with: net/samba36 make all-depends-list | wc -l: 26 net/samba36 make run-depends-list | wc -l: 5 net/samba36 make build-depends-list | wc -l: 9 net/samba36 make package-depends-list | wc -l: 10 net/samba36 make test-depends-list | wc -l: 0 Now let's compare with stock settings for net/samba43: net/samba43 make all-depends-list | wc -l: 53 net/samba43 make run-depends-list | wc -l: 18 net/samba43 make build-depends-list | wc -l: 22 net/samba43 make package-depends-list | wc -l: 35 net/samba43 make test-depends-list | wc -l: 2 And pkg install samba43: New packages to be INSTALLED: samba43: 4.3.3_2 libsunacl: 1.0 popt: 1.16_1 openldap-client: 2.4.44 py27-dnspython: 1.12.0 py27-setuptools27: 20.0 ldb: 1.1.24 libgcrypt: 1.6.5_1 libgpg-error: 1.21 gnutls: 3.4.10 nettle: 3.2 gmp: 5.1.3_3 libtasn1: 4.7 p11-kit: 0.23.2 trousers-tddl: 0.3.10_7 libinotify: 20150910 gamin: 0.1.10_8 glib: 2.46.2 libarchive: 3.1.2_6,1 lzo2: 2.09 My mind is blown. Surely a substantial amount of this isn't required, righ= t?=20 So let's tweak some of the options in make config to try and mimic samba36 = as much as possible. Let's try these, followed by make rmconfig (just as a precaution), and redo numbers: net_samba43_UNSET+=3D ACL_SUPPORT ADS AD_DC DNSUPDATE FAM LDAP net_samba43_UNSET+=3D QUOTAS SYSLOG UTMP Afterwards: net/samba43 make all-depends-list | wc -l: 50 net/samba43 make run-depends-list | wc -l: 16 net/samba43 make build-depends-list | wc -l: 20 net/samba43 make package-depends-list | wc -l: 31 net/samba43 make test-depends-list | wc -l: 2 This is very disheartening. I see stuff like GNUTLS, GPG, SASL v2, popt, and a whole ton of other things which are probably "trickling dependencies" from some other port but I can't tell which/what (I'd need to track it down one by one -- I really wish the X-depends-list targets had a way to print a more "tree-like" structure"). The question then became: is all this garbage really needed? The answer appears to be ***NO***. I pulled down the samba43 source code myself and configured/compiled it wit= h a set of very minimal flags (I can provide those if you need), and I was able= to build it and get it running on my system which includes basically none of t= he above "excessive" libraries). The libraries on my system: apache24-2.4.20 Version 2.4.x of Apache web server apr-1.5.2.1.5.4 Apache Portability Library autoconf-wrapper-20131203 Wrapper script for GNU autoconf bash-4.3.42_1 The GNU Project's Bourne Again SHell bonnie++-1.97_3 Performance Test of Filesystem I/O bsdhwmon-20151206 Hardware sensor monitoring utility for FreeB= SD ca_root_nss-3.22.2 Root certificate bundle from the Mozilla Pro= ject curl-7.48.0_2 Non-interactive tool to get files from FTP, GOPHER, HTTP(S) servers cvsps-2.1_1 Create patchset information from CVS cyrus-sasl-2.1.26_12 RFC 2222 SASL (Simple Authentication and Security Layer) db5-5.3.28_3 The Oracle Berkeley DB, revision 5.3 ddrescue-1.18.1 Data recovery tool dialog4ports-0.1.5_2 Console Interface to configure ports epic4-2.10.5_2 The (E)nhanced (P)rogrammable (I)RC-II (C)li= ent expat-2.1.0_3 XML 1.0 parser written in C fetchmail-6.3.26_2 Batch mail retrieval utility for IMAP/POP3/ETRN/ODMR gdbm-1.11_2 GNU database manager gettext-runtime-0.19.7 GNU gettext runtime libraries and programs gettext-tools-0.19.7 GNU gettext development and translation tools git-2.8.1 Distributed source code management tool gmake-4.1_2 GNU version of 'make' utility gmake-lite-4.1_1 Minimalist version of gnu make help2man-1.43.3_1 Automatically generating simple manual pages from program output icu-55.1 International Components for Unicode (from I= BM) indexinfo-0.2.4 Utility to regenerate the GNU info page index libexecinfo-1.1_3 Library for inspecting program's backtrace libffi-3.2.1 Foreign Function Interface libiconv-1.14_9 Character set conversion library libidn-1.31 Internationalized Domain Names command line = tool libxml2-2.9.3 XML parser library for GNOME lynx-2.8.8.2_3,1 Non-graphical, text-based World-Wide Web cli= ent m4-1.4.17_1,1 GNU m4 mariadb100-client-10.0.23 Multithreaded SQL database (client) mariadb100-server-10.0.23 Multithreaded SQL database (server) mime-support-3.58 MIME Media Types list mod_php70-7.0.5_1 PHP Scripting Language mtr-nox11-0.86 Traceroute and ping in a single network diagnostic tool mutt-1.6.0_1 The Mongrel of Mail User Agents (development version) p5-Authen-NTLM-1.09_1 Perl5 NTLM authentication module p5-Authen-SASL-2.16_1 Perl5 module for SASL authentication p5-Digest-HMAC-1.03_1 Perl5 interface to HMAC Message-Digest Algorithms p5-Encode-Locale-1.05 Determine the locale encoding p5-Error-0.17024 Error/exception handling in object-oriented programming style p5-File-Listing-6.04_1 Parse directory listings p5-GSSAPI-0.28_1 Perl extension providing access to the GSSAP= Iv2 library p5-HTML-Parser-3.72 Perl5 module for parsing HTML documents p5-HTML-Tagset-3.20_1 Some useful data table in parsing HTML p5-HTTP-Cookies-6.01_1 HTTP Cookie jars p5-HTTP-Daemon-6.01_1 Simple HTTP server class p5-HTTP-Date-6.02_1 Conversion routines for the HTTP protocol da= te formats p5-HTTP-Message-6.11 Representation of HTTP style messages p5-HTTP-Negotiate-6.01_1 Implementation of the HTTP content negotiati= on algorithm p5-IO-HTML-1.001_1 Open an HTML file with automatic charset detection p5-IO-Socket-IP-0.37 Drop-in replacement for IO::Socket::INET supporting IPv4 and IPv6 p5-IO-Socket-SSL-2.025 Perl5 interface to SSL sockets p5-LWP-MediaTypes-6.02_1 Guess media type for a file or a URL p5-Locale-gettext-1.06 Message handling functions p5-Mozilla-CA-20160104 Perl extension for Mozilla CA cert bundle in= PEM format p5-Net-HTTP-6.09 Low-level HTTP client p5-Net-SMTP-SSL-1.03 SSL support for Net::SMTP p5-Net-SSLeay-1.73 Perl5 interface to SSL p5-Socket-2.021 Networking constants and support functions p5-URI-1.71 Perl5 interface to Uniform Resource Identifi= er (URI) references p5-WWW-RobotRules-6.02_1 Database of robots.txt-derived permissions p5-libwww-6.15 Perl5 library for WWW access pcre-8.38_1 Perl Compatible Regular Expressions library perl5-5.20.3_11 Practical Extraction and Report Language php70-7.0.5_1 PHP Scripting Language php70-curl-7.0.5_1 The curl shared extension for php php70-json-7.0.5_1 The json shared extension for php php70-mysqli-7.0.5_1 The mysqli shared extension for php php70-opcache-7.0.5_1 The opcache shared extension for php php70-simplexml-7.0.5_1 The simplexml shared extension for php pkg-1.7.2 Package manager portlint-2.16.8 Verifier for FreeBSD port directory postfix-sasl-3.1.0,1 Secure alternative to widely-used Sendmail procmail-3.22_8 Local mail delivery agent python-2.7_2,2 The "meta-port" for the default version of Python interpreter python2-2_3 The "meta-port" for version 2 of the Python interpreter python27-2.7.11_1 Interpreted object-oriented programming lang= uage rsync-3.1.2_1 Network file distribution/synchronization utility samba36-3.6.25_2 Free SMB and CIFS client and server for Unix serf-1.3.8_1 Serf HTTP client library smartmontools-6.4_2 S.M.A.R.T. disk monitoring tools sqlite3-3.11.1 SQL database engine in a C library subversion-1.9.3_3 Version control system sudo-1.8.16 Allow others to run commands as root talloc-2.1.5 Hierarchical pool based memory allocator tcl84-8.4.20_2,1 Tool Command Language tdb-1.3.8,1 Trivial Database tevent-0.9.26 Talloc based event loop library urlview-0.9.20131021 URL extractor/launcher vim-lite-7.4.1721 Improved version of the vi editor (lite pack= age) wget-1.16.3_1 Retrieve files from the Net via HTTP(S) and = FTP zfs-stats-lite-1.3 Display human-readable ZFS statistics zip-3.0_1 Create/update ZIP files compatible with PKZIP I also found this in the Makefile: # XXX: Unconditional dependencies which can't be switched off(if present # in the system) And there appear to be many in there for which this is not true. This matter really needs some attention. I would strongly suggest creating= a net/samba43-lite shim port (see editors/vim-lite, mail/mutt-lite, and net/mtr-nox11 for examples) that provides "basic/minimal" functionality for those of us that want such. Please DO NOT remove AIO support though -- tha= t is absolutely needed at this point in time. Now, because I know someone will say it -- "please provide patches" -- I ha= ve actually given this a shot (honest -- and I used to be a ports committer!).= =20 The existing Makefile is a nightmare. I can try my best at this, but it's going to take me probably a week and a half or more because I have to reverse-engineer all of what's there. Maybe I could speed up the work time= by simply pulling features out (deleting lines) entirely. Honestly it looks to me like there's just a lot of neglect to "minimalism" = in this port. Yes, I'm well aware the Samba guys have a tendency to bloat thi= ngs, but I really think a lot of this hullabaloo is on the FreeBSD port side, no= t on the Samba side. --=20 You are receiving this mail because: You are the assignee for the bug.=