From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bzip2-devel-return-19-listarch-bzip2-devel=sourceware.org@sourceware.org>
Received: (qmail 60429 invoked by alias); 27 Jun 2019 13:52:18 -0000
Mailing-List: contact bzip2-devel-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:bzip2-devel@sourceware.org>
List-Help: <mailto:bzip2-devel-help@sourceware.org>
List-Subscribe: <mailto:bzip2-devel-subscribe@sourceware.org>
List-Id: <bzip2-devel.sourceware.org>
Sender: bzip2-devel-owner@sourceware.org
Received: (qmail 60419 invoked by uid 89); 27 Jun 2019 13:52:18 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.100.3 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-6.4 required=5.0 tests=AWL,BAYES_00,KAM_SHORT,SPF_PASS autolearn=ham version=3.3.1 spammy=polishing, our
X-Spam-Status: No, score=-6.4 required=5.0 tests=AWL,BAYES_00,KAM_SHORT,SPF_PASS autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org
X-Spam-Level: 
X-HELO: gnu.wildebeest.org
Message-ID: <b99e9aa62a24d7112c38d85cba0ec062bb1ce97b.camel@klomp.org>
Subject: Re: Bzip2 download and CVE-2019-12900 fix?
From: Mark Wielaard <mark@klomp.org>
To: noloader@gmail.com
Cc: bzip2-devel@sourceware.org
Date: Tue, 01 Jan 2019 00:00:00 -0000
In-Reply-To: <CAH8yC8nzC0gwiVP8rjpxhGtGom-+-+Qq0+7FRTQo-zSTo53FNw@mail.gmail.com>
References: 
	<CAH8yC8=vPyxghZML-sKPdoqKDzjadJ7Pinr2K_RNC3YW5sHkHA@mail.gmail.com>
	 <fb3f4744252ab965f64ad27fd902ac00c96e777b.camel@klomp.org>
	 <CAH8yC8nzC0gwiVP8rjpxhGtGom-+-+Qq0+7FRTQo-zSTo53FNw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Evolution 3.28.5 (3.28.5-2.el7) 
Mime-Version: 1.0
X-Spam-Flag: NO
X-SW-Source: 2019-q2/txt/msg00018.txt.bz2

On Wed, 2019-06-26 at 11:15 -0400, Jeffrey Walton wrote:
> There's a lot to the msg00014.html list message. I run with a patched
> version of Bzip2. Makefile and Makefile-libbz2_so need some polishing
> to get them to respect CFLAGS and LDFLAGS. Otherwise they ignore our
> flags.
>=20
> Also, the recipe for libbz2.so.1.0.6 breaks on non-Linux systems
> because -Wl,-soname is a GNU ld thing.
>=20
> You can get an idea of the Makefile changes by comparing with
> https://github.com/noloader/bzip2-noloader. Also see
> https://www.gnu.org/prep/standards/html_node/Command-Variables.html

Thanks. And yes, the current Makefiles are horrible. I am certainly not
arguing for not updating the build system to something more sane :)

It is just that if we are going to do a quick 1.0.7 release for the
latest CVE I think it should not mess up anything else, but just
contain those bug/security fixes (and remove all traces from the old
lost domain so people know it has been migrated to sourceware.org).
People have been using these horrible Makefiles either as is or have
known workarounds for them.

But yes, please lets also do a revamped 1.1.x release that makes some
tough decisions about what build system to adopt, possibly mess with
the SONAME, etc.

Cheers,

Mark