This Time Self-Hosted
dark mode light mode Search

RDEPEND safety

I’m hoping this post is going to be useful for all the devs and devs to be that want to be sure their ebuilds have proper runtime dependencies. It has sprouted by the fact it seems at least a few developers were oblivious of the implications of what I’m going to describe (which I described briefly on gentoo-core a few days ago, without any response).

First of all, I have to put my hands forwards and say that I’m going to focus on just the binary ELF packages, and this is far from a complete check for proper runtime dependencies. Scripting code is much more difficult to check, while Java is at least somewhat simpler thanks to the Java team’s script.

So you got a simple software that installs ELF executable fils or shared libraries, and you want to make sure all the needed dependencies are listed. The most common mistake there is to check the link chain with ldd (which is just a special way to invoke the loader, dumping out the called libraries). This would most likely show you a huge amount of false positives:

yamato ~ # ldd /usr/bin/mplayer =>  (0xf7f8d000) => /usr/lib/ (0xf7eec000) => /usr/lib/ (0xf7dfd000) => /lib/ (0xf7de5000) => /usr/lib/ (0xf7de1000) => /usr/lib/ (0xf7ddb000) => /usr/lib/ (0xf7dd4000) => /usr/lib/ (0xf7d52000) => /usr/lib/ (0xf7d40000) => /usr/lib/ (0xf7cae000) => /usr/lib/ (0xf7c37000) => /lib/ (0xf7bf3000) => /usr/lib/ (0xf7bcd000) => /lib/ (0xf7bb9000) => /usr/lib/ (0xf7b52000) => /usr/lib/ (0xf7a9a000) => /usr/lib/ (0xf7a13000) => /usr/lib/ (0xf79e6000) => /usr/lib/ (0xf79cd000) => /usr/lib/ (0xf799b000) => /lib/ (0xf7975000) => /lib/ (0xf7832000) => /usr/lib/ (0xf782f000) => /usr/lib/ (0xf7815000) => /lib/ (0xf7810000)
    /lib/ (0xf7f71000) => /usr/lib/ (0xf77ef000) => /lib/ (0xf77e6000) => /usr/lib/ (0xf77bf000) => /usr/lib/ (0xf77b9000) => /usr/lib/ (0xf77b4000) => /usr/lib/ (0xf77ae000)

In this output, for instance, you can see listed the XCB libraries, and Expat, so you could assume that MPlayer depends on those. On the other hand, it really doesn’t, and they are just indirect dependencies, that the loader will have to load anyway. To avoid being fooled by that the solution would be to check the file itself for the DT_NEEDED entries in the .dynamic section of the ELF file. This can be achieved by checking the output of readelf -d or much more quickly by using scanelf -n:

yamato ~ # scanelf -n /usr/bin/mplayer
ET_EXEC,,,,,,,,,,,,,,,,,,,, /usr/bin/mplayer 

As you can see here MPlayer does not use either of those libraries, which means that they should not be in MPlayer’s RDEPEND. There is, though, another common mistake here. If you don’t use --as-needed (especially not forcing it), you’re going to get indirect and misguided dependencies . So you can only trust DT_NEEDED when the system has been built with --as-needed from the start. This is not always the case and thus you can get polluted dependencies. And thanks to the fact that now the linker silently ignores --as-needed on broken libraries this is likely to create a bit of stir.

One of the entries in my ever so long TODO list (explicit requests for tasks during donation helps, just so you know) is to write a ruby-elf based script that can check the dependencies without requiring the whole system to be built with --as-needed. It would probably be a lot like the script that Serkan pointed me at for Java, but for ELF files.

After you got the required dependencies are seen by the loader right, though, your task is not complete yet. A program has more dependencies that it might appear to have, since it might require data files to be opened, like icon themes and similar, but also more important dependencies in form of other programs or libraries. And that is not always too obvious. While you can check if the software is using the dlopen() interface to load dynamically further libraries, again using scanelf, that is not going to tell you much and you have to check the source code. Also the program can call another through way of the exec family of functions, or through system(). And even if your program does not call any of these functions you cannot be sure that you got the complete dependencies right without opening it

This is because libraries adds indirection to these things too. The gmodule interface in glib allows for dynamically loading plugins, and can actually load plugins you don’ t see and check, and Qt (used to) provide a QProcess class that allows to execute other software.

All in all, even for non-scripting programs, you really need to pay attention to the sources to be safe that you got your dependencies right and you should never ever rely purely on the output of a script. Which is another reason why I think that most work in Gentoo cannot be fully automated, not just yet at least. At any rate, I’m hoping to provide developers with an usable script one day soonish, at least it’ll be a step closer than it is now.

Comments 2
  1. Thanks a lot for this post.It clarifies many things especially for new developers 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.