The TODO list for CRUX 3.8 says that libbsd and libmd were committed to
the core repo add implied it was due to shadow enabling libbsd by default.
Since libmd is required by libmd it also must be put in core.
My curiousity (and caution) led me to build CRUX 3.8-rc3 on a
qemu kvm.
I dislike libbsd because it worms its way into so many autoconf
built packages after it is installed. And when libbsd gets updated the
host can be difficult or impossible to work with before the revdep.
#crux-devel/2022-09-27.log:[15:33:28]:
<farkuhar> looks like switching from autotools to cmake prevented the
libarchive build from linking against libbsd. I just ran
'prt-get update -fr libarchive' on a system with libbsd installed,
and ldd /usr/bin/bsdtar does not report any linking to files owned by libbsd.
Hooray for cmake builds. Too bad so many packages still use autoconf.
I found https://github.com/shadow-maint/shadow/issues/779 interesting reading.
There was some pushback in August of 2023 and the devs added --with-libbsd
to deal with it. In autoconf --with-libbsd implies --without-libbsd too.
Two of the functions that libbsd added that were once sought after for code
safety, strlcpy(3) and strlcat(3), were added to glibc 2.38. The shadow devs
decided to copy the BSD readpassphrase(3) code into shadow since shadow uses
BSD-3-Clause license and libbsd does too.
libbsd and libmd are not required by shadow and libmd is not required by
openssh.
openssh builds fine without it. shadow builds without it if --without-libbsd
is added to ./configure.
There is no explanation I can find for the libmd dep in openssh. It appears in
https://git.crux.nu/ports/core/commit/30541007d30acf30169ad8c18c6e06a6590e1…
with the description "Merge remote-tracking branch 'origin/3.7' into 3.8" and
seems inadvertent.
To see what effect libbsd and libmd had on a fresh install of 3.8-rc3 I started
with only the core packages installed. I used ldd in /bin, /sbin, /usr/bin, and
/usr/sbin to see which binaries where already linked to libbsd or libmd. Of
course if libbsd is linked by a binary it also links libmd.
These core tools will not be available after an update to libmd and/or libbsd
and before revdep is run to rebuild their owners:
Linked to libbsd in /usr/bin:
chage chfn chsh expiry faillog getsubids newgidmap newgrp newuidmap passwd
sg su
Linked to libmd in /usr/bin:
scp sftp ssh ssh-add ssh-agent ssh-keygen ssh-keyscan
Linked to libbsd in /bin:
login
Linked to libbsd in /sbin
nologin
Linked to libbsd in /usr/sbin
chgpasswd groupadd groupdel groupmems groupmod grpck pwck useradd userdel
usermod vigr vipw
Linked to libmd in /usr/sbin
sshd
After the install of only core and examining what was using libmd or libbsd
I installed all the opt and xorg ports.
Of the 99 ISO ports in opt only one used libbsd: talloc (used by samba).
Of the 98 ISO ports in xorg only one used libbsd: xorg-server, make these
binaries vulnerable: Xorg, Xnest, and Xvfb.
By now you can see I *really* don't like libbsd in a Linux system. It belongs in
a BSD system.
I'm sorry if this generates more work for 3.8 but libbsd with autoconf is like
cancer for a Linux system; the sooner it is cut out the easier it is on the
patient.
And as always: thanks for your work on CRUX. Still the best Linux distro.
Regards, Daryl
P.S. As near as I can tell libbsd was only updated three times during the
lifetime of CRUX 3.7 so future breakage possibilities might be minimal.
