From phil at bolthole.com Mon Nov 1 16:48:12 2010 From: phil at bolthole.com (Philip Brown) Date: Mon, 1 Nov 2010 08:48:12 -0700 Subject: [csw-users] important change: length of software names Message-ID: Greetings, OpenCSW users, We are considering making a change to a long-time standard for CSW packages. It has been proposed that we raise the maximum length limit on our software names, to be the full length supported by Solaris 9 and 10. This means that PKG names would be allowed to be 32 chars long. which means catalog names, aka "software names", could be up to 29 chars long (To match the PKG name, minus the leading "CSW") While we believe our internal software, and also utilities such as pkg-get and pkgutil, can be easily modified, we wanted to give the user community notice in advance, so that there is opportunity for feedback, if this somehow adversely affects anyone. If this is the case for you, please let us know. The simplest method is probably to email this list. However, if you wish, you may alternatively email me, or the OpenCSW board list. (board @ ....) Thank you for your interest, and involvement, in OpenCSW Philip Brown From vuvulescu at gmail.com Wed Nov 17 18:23:11 2010 From: vuvulescu at gmail.com (Silviu Podariu) Date: Wed, 17 Nov 2010 11:23:11 -0600 Subject: [csw-users] gcc-4.3.3, post-install trouble: ld.so.1: a.out: fatal: libstdc++.so.6: open failed... Message-ID: Dear solaris experts, I am new to this utility/list, signed up because it looks the natural way of installing packages to a solaris env (much like the debian/ubuntu 'apt' way). I did a fresh install of solaris 10 on a sparc workstation (uname -a gives: SunOS testComp 5.10 Generic_139555-08 sun4u sparc SUNW,Sun-Blade-2500 ), and i tried to use pkgutil (installed normally with pkgadd, updated to v-2.2, updated catalog) to install a newer gcc package than the 3.4.3 which came with the install. Everything went fine with the install, and now i have the two g++ compilers on the system: (my prompt is a '\w: ') /: find . -name g++ ./usr/sfw/bin/g++ ./opt/csw/gcc4/bin/g++ /: /usr/sfw/bin/g++ --version g++ (GCC) 3.4.3 (csl-sol210-3_4-branch+sol_rpath) Copyright (C) 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. /: /opt/csw/gcc4/bin/g++ --version g++ (GCC) 4.3.3 Copyright (C) 2008 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. /: However, when testing a simple program, trouble arises with the csw compiler: (while all is fine with the original one) ~/cs/cpp/test: /opt/csw/gcc4/bin/g++ reFormat.cc ~/cs/cpp/test: ./a.out ld.so.1: a.out: fatal: libstdc++.so.6: open failed: No such file or directory Killed ~/cs/cpp/test: ldd a.out libstdc++.so.6 => (file not found) libm.so.2 => /lib/libm.so.2 libgcc_s.so.1 => (file not found) libc.so.1 => /lib/libc.so.1 /platform/SUNW,Sun-Blade-2500/lib/libc_psr.so.1 ~/cs/cpp/test: ~/cs/cpp/test: /usr/sfw/bin/g++ reFormat.cc ~/cs/cpp/test: ./a.out ~/cs/cpp/test: ldd a.out libstdc++.so.6 => /usr/sfw/lib/libstdc++.so.6 libm.so.2 => /lib/libm.so.2 libgcc_s.so.1 => /usr/sfw/lib/libgcc_s.so.1 libc.so.1 => /lib/libc.so.1 /platform/SUNW,Sun-Blade-2500/lib/libc_psr.so.1 ~/cs/cpp/test: Apparently there is something else i need to do, besides installing the gcc package. Does anybody have a robust solution/answer to fixing this? Thank you very much, Silviu From james at opencsw.org Wed Nov 17 18:44:42 2010 From: james at opencsw.org (James Lee) Date: Wed, 17 Nov 2010 17:44:42 GMT Subject: [csw-users] gcc-4.3.3, post-install trouble: ld.so.1: a.out: fatal: libstdc++.so.6: open failed... In-Reply-To: References: Message-ID: <20101117.17444200.2518876166@gyor.oxdrove.co.uk> On 17/11/10, 17:23:11, Silviu Podariu wrote regarding [csw-users] gcc-4.3.3, post-install trouble: ld.so.1: a.out: fatal: libstdc++.so.6: open failed...: > ~/cs/cpp/test: /opt/csw/gcc4/bin/g++ reFormat.cc > ~/cs/cpp/test: ./a.out > ld.so.1: a.out: fatal: libstdc++.so.6: open failed: No such file or > directory > Killed It's essentially the same as this: https://www.opencsw.org/mantis/view.php?id=3846 (I thought there was one for g++ but I can't see it.) Do: $ g++ -R/opt/csw/gcc4/lib reFormat.cc and look for the RPATH: $ dump -Lv ./a.out | grep RPATH [8] RPATH /opt/csw/gcc4/lib > Apparently there is something else i need to do, besides installing > the gcc package Install Sun Studio 12.2: http://www.oracle.com/technetwork/server-storage/solarisstudio/overview/ index.html James. From lrhazi at gmail.com Wed Nov 24 20:30:07 2010 From: lrhazi at gmail.com (Mohamed Lrhazi) Date: Wed, 24 Nov 2010 14:30:07 -0500 Subject: [csw-users] Concerns about the safety of OpenCSW packages.... Message-ID: Hello all, Could you share some arguments you might have used, or would use, to answer a management argument against OpenCSW in the form of: - How do we know nothing bad has been added to these packages you want to install on our servers? - Who is this OpenCSW anyways? Another question I have is: Does anybody know if Redhat audits all the source code of all the software they ship to their customers? Does Oracle/Sun/Novel and others, promise that? How does trust work in the Open Software world? Thanks a lot. Mohamed, From cptsalek at gmail.com Wed Nov 24 23:29:37 2010 From: cptsalek at gmail.com (Christian Walther) Date: Wed, 24 Nov 2010 23:29:37 +0100 Subject: [csw-users] Concerns about the safety of OpenCSW packages.... In-Reply-To: References: Message-ID: Hello Mohamed, On 24 November 2010 20:30, Mohamed Lrhazi wrote: > Hello all, > > Could you share some arguments you might have used, or would use, to > answer a management argument against OpenCSW in the form of: > > - How do we know nothing bad has been added to these packages you want > to install on our servers? Well, IMO you basically don't know if something bad has been added to these packages. But this is not a Open Source or OpenCSW specific problem, because you can't be sure what you download from any remote server if you take security to this level. The only way to be sure that nothing bad is in any software package would be to download and audit the source yourself. And OSS is the only type of software that allows you to deeply analyze the code, because close source provider just deliver binary blobs that can't be analyzed, or you might even risk breaking several laws ("reverse engineering"). Big names don't help here either, because as a user you can't be sure if any of these big companies have a deal with some security agency, resulting in installed back doors. It was in the news often enough that the NSA wanted something like this, for example. Of course such a backdoor could be exploited by some malicious cracker. Even if we take it for granted that no company would do something like this we can't put too much trust in publicly available servers, because these servers could be compromised and the served contents changed. Even checksums won't help much, because there's no guarantee that the system responsible for creating those hasn't been cracked as well... > - Who is this OpenCSW anyways? An OSS project just like many others, trying to deliver some usefull packages for a fantastic Operating System, thus increasing productivity and usability I would say. ;-) > Another question I have is: Does anybody know if Redhat audits all the > source code of all the software they ship to their customers? I pretty much doubt it. The amount of packages available from RedHat is IMO to high to be thoroughly audited. They probably have some QA which keeps track of known (and exploitable) bugs so that these can be squashed ASAP. Basically the power of OSS is the community: Because famous packages (Gnome, KDE, OpenOffice et. all.) are installed of hundreds of thousands of systems probability is high that a bug or security issue is found and reported before anything bad happens. From what I gather the amount of "zero day exploits" for OSS is pretty low. Additionally many people in the OSS scene are skilled enough to either trace a bug down to a specific piece of code, or even provide a patch to both the community and upstream. The benefit here is on all sides: Every user skilled enough can apply the patch directly, while the average user can (or has to) rely his distribution to provide an update. While there are exceptions to the rule most security related bugs in OSS are fixed faster than their close source counter parts. > Does Oracle/Sun/Novel and others, promise that? How does trust work in > the Open Software ?world? This is an interesting question, and I guess that reading licenses or the fine print in support contracts could help here. Trust is a good point in the OSS world. If money* is not an option all you have is trust -- and credibility. This involves both the development and distribution. If a project would mess up badly, chances are high that it would loose it's credibility. Loosing users would be the result. That being said you have to trust the package maintainers not to do anything bad, and the sysadmins that they know their work so that the servers are secure. But you have to trust the thousands of Microsoft developers and their sysadmins in pretty much the same way. It's merely a coincidence but I think about Microsofts own IPv6 tunnel service that was able to get through company firewalls rather unnoticed, risking the safety of entire corporate networks. Normally you don't install an untested product on production machine, but on some dedicated environment. Take your time to test it, and if it doesn't break anything you can be pretty sure that it works as expected and that it's safe for production use. Reading security related mailing lists, websites, or using services like Secunia is advised as well, to keep up to date with security issues in *any* product, OSS or not. HTH Christian *) I think it's a good idea to keep in mind that many licence agreements and terms of services of close source software products very often boil down to something like "pay much, but don't expect anything, including warranty". From lrhazi at gmail.com Fri Nov 26 09:38:20 2010 From: lrhazi at gmail.com (Mohamed Lrhazi) Date: Fri, 26 Nov 2010 03:38:20 -0500 Subject: [csw-users] Concerns about the safety of OpenCSW packages.... In-Reply-To: References: Message-ID: Thank you so much for sharing your views. been very helpful. Mohamed. On Wed, Nov 24, 2010 at 5:29 PM, Christian Walther wrote: > Christian -- -- If not for coffee, I'd have no use for water at all.