We had an incident today [1] that opae-devel has auto-generated provides like libcrypto.so.1.1()(64bit), generated for the bundled copy of openssl (/usr/lib/python3.10/site-packages/pacsign/hsm_managers/openssl/library/libcrypto.so). It was pulled into the buildroot instead of the expected openssl1.1 package. Those deps are generated by /usr/lib/rpm/elfdeps, which is configured in /usr/lib/rpm/fileattrs/elf.attr to act on anything that matches the file magic of '^(setuid,? )?(setgid,? )?(sticky )?ELF (32|64)-bit.*$'. My question: shouldn't we limit the elfdeps generator to files which are in paths that can be loaded automatically by the linker? (This could be implemented as e.g. the paths that are default like /usr/lib64, /usr/local/lib64, …, depending on the architecture, and if the package installs anything in /etc/ld.so/, also the paths listed there.) I always understood those Provides/Requires to be used for library dependency resolution, and it doesn't seem to make sense to generate them for plugins and other "private" objects outside of the linker load paths. I think it's much much more common to have .so libraries outside of the linker paths for which we don't want the automatic provides (python modules, java extensions, various loadable plugins), than to have shared libraries in some custom directory. This should eliminate most of the stupid issues where a "private" dependency leaks and breaks other packages. [1] bugzilla.redhat.com/2028852 Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
