On 03/02/2015 11:00 AM, Johnny Hughes wrote: > On 03/02/2015 10:38 AM, ANDY KENNEDY wrote: >>>> I'm tasked with reconstructing the CentOS version of the GlibC library for testing with >>>> gethostbyname(). My mission is to show that we are not affected by the latest exploit for >>>> the product we are shipping targeted for RHEL and CentOS. To do so, I want to equip >>>> gethostbyname() with additional code. >>> >>> Do you plan on shipping this updated glibc as part of the product, or is >>> this simply for testing? If you plan to distribute/ship an updated >>> glibc, that's probably going to raise a few eyebrows and anger a few >>> sysadmins. >> >> No release. Only testing. >> > > Also, please be advised that rebuilding a package and then trying to > compare it to something else built earlier is likely not going to work > unless you can duplicate the exact set of packages that are installed in > the build root at the time of the build. Even then, with documentation > generation, you STILL might not get an exact, bit for bit, match when > building later. > > It is almost impossible to duplicate a closed and staged build system > for a give date unless you are trying very hard to do so. > >>> >>>> My objective is to rebuild from source the EXACT version of GlibC for CentOS 6.6. >>>> Afterwards, I will make my changes in the code, rebuild and complete my testing. >>>> > > ^^ That would likely be impossible to accomplish. See my comments above. > > <snip> The list of packages that were in the "mock build root" for our build of the glibc-2.12-1.149.el6_6.5.x86_64.src.rpm is here: http://ur1.ca/ju24m To get close to an exact match, you need to use mock and use the packages listed above (and only those versions) if you are trying to get a build that matches what we built.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos