+++ This bug was initially created as a clone of Bug #1548060 +++ Description of problem: If you install dnsmasq on a system without a fully up to date nettle rpm then you get an error. ``` [root@localhost ~]# dnf install dnsmasq ... Installed: dnsmasq.x86_64 2.78-2.fc27 Complete! [root@localhost ~]# dnsmasq --version dnsmasq: relocation error: dnsmasq: symbol nettle_get_hashes, version NETTLE_6 not defined in file libnettle.so.6 with link time reference [root@localhost ~]# rpm -q nettle dnsmasq nettle-3.3-5.fc27.x86_64 dnsmasq-2.78-2.fc27.x86_64 ``` It might be a good idea to require a minimum version of nettle to not hit this problem. --- Additional comment from Itamar Reis Peixoto on 2018-02-23 04:52:21 CET --- I am just looking arround, and I have something to say. dnsmasq buildrequires nettle-devel, and nettle-devel requires nettle. after dnsmasq finish compiling, rpm see that's dnsmasq is linked with libnettle.so.6 and add a requires libnettle.so.6()(64bit), so my opinion here is -> rpm should see who owns libnettle.so.6 -> rpm -qf /usr/lib64/libnettle.so.6 nettle-3.4-1.fc27.x86_64 in my opinion rpm should add nettle-3.4-1.fc27.x86_64 into requires. what do you think about ? --- Additional comment from Dusty Mabe on 2018-02-23 05:05:16 CET --- (In reply to Itamar Reis Peixoto from comment #1) > what do you think about ? I honestly don't know. Just figured I would report what I found. Maybe nettle made a breaking change in the middle of a release? --- Additional comment from Petr Menšík on 2018-02-26 17:07:45 CET --- No, it should not. RPM will try to find any package that provides libnettle.so.6 library. You can try "rpm -q --requires dnsmasq" command to see what packages are required. And then "dnf repoquery --whatprovides 'libnettle.so.6()(64bit)'" to search what can provide this library. RPM can work this out correctly. This trouble is about nettle_hashes symbol. Failure in dnsmasq is that it uses array directly. It changed to using function nettle_get_hashes@NETTLE_6 automatically with a newer build. It changed from referencing original array to function returning only start pointer. That is a good thing, because the array is not good for dynamic linking. Problem is that version of library should have been raised with that change. Because old library still provides exactly the same library as more recent one. But it is not backward compatible. Dnsmasq without change it its code had different dependencies with more recent nettle after recent build. $ dnf repoquery --provides nettle-3.4-1.fc27.x86_64 | grep nettle Last metadata expiration check: 0:35:30 ago on Mon 26 Feb 2018 04:22:49 PM CET. libnettle.so.6()(64bit) libnettle.so.6(NETTLE_6)(64bit) nettle = 3.4-1.fc27 nettle(x86-64) = 3.4-1.fc27 $ LANG=en_US.UTF-8 dnf repoquery --provides nettle-3.3-5.fc27.x86_64 | grep nettle Last metadata expiration check: 0:36:11 ago on Mon 26 Feb 2018 04:22:49 PM CET. libnettle.so.6()(64bit) libnettle.so.6(NETTLE_6)(64bit) nettle = 3.3-5.fc27 nettle(x86-64) = 3.3-5.fc27 This is why will RPM allow you to install older version, which in fact cannot satisfy dependencies. I will update dnsmasq to always use explicitly nettle_get_hashes and require nettle >= 3.4, since which this function is available. I think failure is on nettle build.
Nettle changed ABI with backward incompatible changes. Because soversion did not change, RPM will allow installation of version not providing new symbol used. Main problem is that new function is used automatically without code change on new builds. Please ensure ABI changes also change library version.
Please note that Nettle should not be used directly if FIPS compliance is a concern. It should be used only indirectly through gnutls or a different crypto library should be used instead.
New bug #1556890 was filled about the same problem, I think one of them should be marked duplicate, but will leave it for you to decide.
*** Bug 1556890 has been marked as a duplicate of this bug. ***