1909801 – fprintd links against libnss3.so and libnssutil3.so but does not depend on nss and nss-util

Bug 1909801 - fprintd links against libnss3.so and libnssutil3.so but does not depend on nss and nss-util

Summary: fprintd links against libnss3.so and libnssutil3.so but does not depend on ns...

Keywords:
Status:	CLOSED DUPLICATE of bug 1908791
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	fprintd
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Benjamin Berg
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	openqa
Depends On:
Blocks:	F34FinalBlocker
TreeView+	depends on / blocked

Reported:	2020-12-21 17:08 UTC by Adam Williamson
Modified:	2020-12-22 10:04 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-12-21 17:45:39 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Adam Williamson 2020-12-21 17:08:40 UTC

In current Fedora Rawhide, the fprintd service fails to start after default Fedora Server package set install:

https://openqa.fedoraproject.org/tests/744980

The failing service is fprintd. It fails on:

Dec 21 04:48:31 localhost.localdomain systemd[1]: Starting Fingerprint Authentication Daemon...
Dec 21 04:48:32 localhost.localdomain fprintd[793]: /usr/libexec/fprintd: error while loading shared libraries: libnss3.so: cannot open shared object file: No such file or directory
Dec 21 04:48:32 localhost.localdomain systemd[1]: fprintd.service: Main process exited, code=exited, status=127/n/a

examining the executable with ldd, it is linked against libnss3.so and libnssutil3.so , but the fprintd package does not depend on nss or nss-util. Nothing else in the default Server package set pulls in nss or nss-util, so the service startup fails. On other editions I think this bug is masked because nss and nss-util are pulled in via other dep chains.

I'm not sure *exatly* how the executable comes to be linked against those libraries; I think the build flags get to include `-I/usr/include/nss3` because it's in the Requires(private) of libfprint and fprintd's src/meson.build and utils/meson.build both have `link_with: libfprintd_private`, but beyond that I'm not sure if this is the intended result or what the best fix should be. But as things stand it's certainly broken.

Comment 1 Adam Williamson 2020-12-21 17:10:10 UTC

Proposing as a Final blocker per https://fedoraproject.org/wiki/Fedora_34_Final_Release_Criteria#System_services - "All system services present after installation with one of the release-blocking package sets must start properly, unless they require hardware which is not present."

Comment 2 Benjamin Berg 2020-12-21 17:20:41 UTC

Yeah, that seems odd. libfprint depends on nss and should pull it in, but fprintd should certainly not link directly against NSS.

Comment 3 Adam Williamson 2020-12-21 17:22:24 UTC

Oh, hey, I know why this bug just appeared: it's because mstransky set Firefox to use internal nss because of https://bugzilla.redhat.com/show_bug.cgi?id=1908018 . Previously this bug was camouflaged by Firefox pulling in nss. Yes, even on Server - for some reason the default Server package set includes Firefox, that's odd, I'll have to try and figure out why.

We're actually hitting this on Workstation too, because apparently Firefox was the only thing pulling nss into Workstation's default package set.

Comment 4 Adam Williamson 2020-12-21 17:24:09 UTC

The other thing I didn't understand here is why no auto-generated dependency happens. Is it because these libs are unversioned, perhaps? libfprint doesn't depend on nss or nss-util either.

Comment 5 Florian Weimer 2020-12-21 17:32:55 UTC

The dependency is actually there:

https://koji.fedoraproject.org/koji/rpminfo?rpmID=24271679

The problem is that firefox provides libnss3.so()(64bit), but does not install the DSO in the directory searched by glibc:

https://koji.fedoraproject.org/koji/rpminfo?rpmID=24364770

That's arguably a bug in the dependency generators: by default, they should only consider directories searched by default.

Comment 6 Adam Williamson 2020-12-21 17:45:39 UTC

aha, yes, thanks Florian, I missed that. So the problem is still the change in Firefox, but for a slightly different reason.

It's wrong (others have noted this already) that the Firefox build provides the libnss deps, since it's not intending its copy to be system-wide. The packaging guidelines say that such provides should be filtered out by the packager. There's already a bug report for that - https://bugzilla.redhat.com/show_bug.cgi?id=1908791 - so this ultimately can just be treated as a dupe of that, I guess.

*** This bug has been marked as a duplicate of bug 1908791 ***

Comment 7 Kamil Dudka 2020-12-22 09:41:59 UTC

> The packaging guidelines say that such provides should be filtered out by the packager.

Why is it better to rely on human factor to explicitly filter out non-applicable provides when the dependency generator script can be fixed not to produce them by default?

Comment 8 Florian Weimer 2020-12-22 10:04:24 UTC

(In reply to Kamil Dudka from comment #7)
> > The packaging guidelines say that such provides should be filtered out by the packager.
> 
> Why is it better to rely on human factor to explicitly filter out
> non-applicable provides when the dependency generator script can be fixed
> not to produce them by default?

I expect it will break a few packages which install shared objects in non-default paths, along with a configuration file in /etc/ld.so.conf.d. I don't quite understand the reason for that approach (rather than using /usr/lib64 directly).

Note You need to log in before you can comment on or make changes to this bug.