hi!

I think I've found the problem.

It's because of http://pkgs.fedoraproject.org/cgit/ldns.git/tree/ldns-1.6.17-multilib.patch?h=f20
In the last line there is an " missing.

Instead of

+LDFLAGS_SEC="@LDFL

it should be

+LDFLAGS_SEC="@LDFL"


Cheers,
 Flo

Created attachment 942826 [details]
Add the missing quotation mark

I hope I'm doing it right.

oops. actually it looks badly truncated

I was not sure if I should fix the patch or the patched file. As you can see in attachment #942826 [details], I have finally decided to patch the patch.

the patch I used is:

diff --git a/ldns-1.6.17-multilib.patch b/ldns-1.6.17-multilib.patch
index 7708be2..0a565d3 100644
--- a/ldns-1.6.17-multilib.patch
+++ b/ldns-1.6.17-multilib.patch
@@ -54,7 +54,7 @@ diff -Naur ldns-1.6.17-orig/packaging/ldns-config.in ldns-1.6.17/packaging/ldns-
 +esac
 +
 +LDFLAGS="@LDFLAGS@ @LIBSSL_LDFLAGS@ -L$LIBDIR -l@PYTHON_LIB@"
-+LDFLAGS_SEC="@LDFL
++LDFLAGS_SEC="@LDFLAGS@ @LIBSSL_LDFLAGS@ -L$LIBDIR_SEC -l@PYTHON_LIB@"
  
  for arg in $@
  do

ldns-1.6.17-8.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/ldns-1.6.17-8.fc21

ldns-1.6.17-8.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/ldns-1.6.17-8.fc20

ldns-1.6.17-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/ldns-1.6.17-1.el6

This update doesn't work for me, ldns-config now prints empty string insted of syntax error. This prevents OpenDNSSEC from configuring correctly. Please compare the output with version ldns-devel-1.6.16-7.fc20.x86_64.

I'm not sure I understand:

[root@nic ~]# rpm -hiv ldns-*
Preparing...                          ################################# [100%]
Updating / installing...
   1:ldns-utils-1.6.17-8.fc20         ################################# [ 33%]
   2:ldns-1.6.17-8.fc20               ################################# [ 67%]
   3:ldns-devel-1.6.17-8.fc20         ################################# [100%]
[root@nic ~]# ldns-config --libs
-Wl,-z,relro,-z,now -pie  -L/usr/lib64 -lpython2.7 -L/usr/lib64   -lcrypto -ldl -lldns
[root@nic ~]# ldns-config --libs_sec
-Wl,-z,relro,-z,now -pie  -L/usr/lib -lpython2.7 -L/usr/lib   -lcrypto -ldl -lldns
[root@nic ~]# ldns-config --cflags
-I/usr/include

What is not working?

I'm sorry for not being clear. Let me reproduce the issue - I will try to configure opendnssec 1.4.6:

# Let's start with 16-7:

$ rpm -qa 'ldns*'
ldns-1.6.16-7.fc20.x86_64
ldns-devel-1.6.16-7.fc20.x86_64

$ cd /tmp/opendnssec-1.4.6
$ ./configure
-> This finishes correctly.


# Let's upgrade ldns to 17-8:
$ dnf upgrade 'ldns*'
$ rpm -qa 'ldns*'
ldns-utils-1.6.17-8.fc20.x86_64
ldns-1.6.17-8.fc20.x86_64
ldns-devel-1.6.17-8.fc20.x86_64

$ cd /tmp/opendnssec-1.4.6
$ ./configure
checking for ldns-config... /bin/ldns-config
checking what are the ldns includes... -I/usr/include
checking what are the ldns libs... -Wl,-z,relro,-z,now -pie  -L/usr/lib64 -lpython2.7 -L/usr/lib64   -lcrypto -ldl -lldns
checking for ldns_rr_new in -lldns... no
configure: error: Can't find ldns library


Apparently ldns-config has some output but it still doesn't work.

I can reproduce this constantly by downgrading and upgrading packages.

$ rpm -qV ldns ldns-devel ldns
... outputs nothing so there should be no problem with data on my filesystem.

Hi!

In http://pkgs.fedoraproject.org/cgit/ldns.git/tree/ldns-1.6.17-multilib.patch in line 52 there is an / missing in front of usr.

Instead of 

LIBDIR_SEC="usr/lib64"

it should be

LIBDIR_SEC="/usr/lib64"

Am i right?
But I'm not sure if this is the reason.

Package ldns-1.6.17-1.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing ldns-1.6.17-1.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3060/ldns-1.6.17-1.el6
then log in and leave karma (feedback).

Looks like this change fixes it:

#LDFLAGS="-Wl,-z,relro,-z,now -pie -L$LIBDIR -lpython2.7"
#LDFLAGS_SEC="-Wl,-z,relro,-z,now -pie -L$LIBDIR_SEC -lpython2.7"
LDFLAGS="-Wl,-z,relro -Wl,-z,now -pie -L$LIBDIR -lpython2.7"
LDFLAGS_SEC="-Wl,-z,relro -Wl,-z,now -pie -L$LIBDIR_SEC -lpython2.7"

note 1.6.16 had:

LDFLAGS="-Wl,-z,relro -L$LIBDIR -lpython2.7"
LDFLAGS_SEC="-Wl,-z,relro -L$LIBDIR_SEC -lpython2.7"

Actually I had a test error using LDNS_CONFIG= is override. the actual problem is the addition of -pie

Petr,

Can you confirm the rawhide build resolves your issue? I'm pretty sure, but I'd like a second opinion.

The problem was that the multilib patch bled our hardening options into the ldns-config script. But it only leaked into --libs (eg the -pie option) but not in the --cflags option (eg the -fPIC). So compilation in ./configure of the test program for ldns failed to compile causing configure in opendnssec to reject the ldns install.

I checked a bunch of /usr/bin/*-config output, and none show any hardening flags. So the rawhide build now also filters those out in ldns-config.

I also noticed that pkg-config calls failed, and I will update the build to properly install the .pc file so that software using pkg-config --libs ldns will also work.

I confirm that I'm able to configure & build opendnssec-1.4.6 if I install ldns-1.6.17-9.src.rpm from Koji and rebuild it on Fedora 20.

hi Paul!

Could you please merge the changes to the other branches like f19,f20 and f21?

Cheers,
 Flo

ldns-1.6.17-8.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

ldns-1.6.17-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

ldns-1.6.17-9.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/ldns-1.6.17-9.fc20

ldns-1.6.17-9.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.