[OTR-users] libotr/pidgin-otr 4.0.0 "beta2" release and win32 build

Jacob Appelbaum jacob at appelbaum.net
Tue Jul 10 05:55:50 EDT 2012


Hi Ian,

tl;dr

Apply the patches, you get automatic build hardening and a few new
Makefile targets that are useful for various things.

Ian Goldberg:
> On Fri, Jun 22, 2012 at 07:50:44PM -0700, Jacob Appelbaum wrote:
>>> Jake, as you say in your subsequent email, we'd love to see a patch to
>>> this effect.  Paul, we'd also like your opinion on it before we'd merge
>>> it.
>>

Great, here's the output of my additions to the configure.ac for pidgin-otr:

checking for win32... no
checking whether the compiler accepts -fstack-protector-all... yes
checking whether the compiler accepts -Wstack-protector... yes
checking whether the compiler accepts -fwrapv... yes
checking whether the compiler accepts --param ssp-buffer-size=1... yes
checking whether the compiler accepts -fPIE... yes
checking whether the linker accepts -pie... yes
checking whether the linker accepts -z relro -z now... yes

Here's the output for libotr:

checking for win32... no
checking whether the compiler accepts -fstack-protector-all... yes
checking whether the compiler accepts -Wstack-protector... yes
checking whether the compiler accepts -fwrapv... yes
checking whether the compiler accepts --param ssp-buffer-size=1... yes
checking whether the compiler accepts -fPIE... yes
checking whether the linker accepts -pie... yes
checking whether the linker accepts -z relro -z now... yes

That's building on a Debian variant and I have not tested it on Windows.
Tor has tested it on Windows and it seems to work just fine. I suspect
libotr/pidgin-otr won't be much different but if you want to test it on
Windows, I'll help debug it.

>> I'll hack something up - is there a git repo that I can easily clone or
>> should I base my patches on pidgin-otr-4.0.0-beta2.tar.gz?
> 
> Yes, it's git://otr.git.sourceforge.net/gitroot/otr/{libotr,pidgin-otr}
> 

Great, I've attached two patches that basically straight up crib Tor's
autoconf hardening that we originally wrote years ago. It's now on by
default for Tor, so I think we've given it a lot of testing and it
should work with gcc, clang and other compilers.

>> Great!
>>
>> Is there a plan to integrate that into the Makefile? I assume you're
>> using '-c' or perhaps '--check-format' in your checks?
> 
> I used -c --check-accelerators=_  (-c includes --check-format, of
> course).
> 
> I'm not actually sure how best to get it into the Makefile, as the
> Makefile, Makefile.in, and Makefile.in.in are all auto-generated.  Any
> intltool experts that can suggest something?

I've also attached a patch that gives you such a target as well as a few
other useful targets for both libotr and pidgin-otr.

You now have the following targets:

make {check-translations, git-tag, git-push}

Furthermore, a few notes:

I noticed that the libotr,pidgin-otr repos are missing their respective
LICENSE files. It would be nice if it was added to both.

There aren't any signed git tags. The real release should have a signed
tag. I sign my releases like so:

git-tag:
	git tag -u 0xD81D840E -s $(VERSION)

I've included such a target in both Makefile.am files.

I suspect you'll want to use the same target but with your proper
release gpg key. I'll give you a few GPG hardware tokens when I see you
next, so you can have a role key in hardware, if you want.

I tested that everything builds and I haven't introduced any compiler
warnings or anything else.

Either apply the patches with patch or with git patch to get my commit
messages and other git stuff.

Patch:

  cd libotr/
  patch < /tmp/libotr-Makefile.am.patch
  patch < /tmp/libotr-autoconf-hardening.patch

  cd pidgin-otr/
  patch < /tmp/pidgin-otr-4.0.0-beta2-Makefile.am.patch
  patch < /tmp/pidgin-otr-4.0.0-beta2-autoconf-hardening.patch

git patch:

  # You may have to `git repack` before this will work...
  # if you abort, you will need to git rebase --abort or git am --abort
  # if you do that, you can start again
  cd libotr/
  git am -i --signoff
/tmp/0001-libotr-Add-new-compiler-and-linker-hardening-options.patch
  git am -i --signoff /tmp/0002-libotr-Add-git-tag-git-push-targets.patch

  cd pidgin-otr/
  git am -i --signoff
/tmp/0001-pidgin-otr-Add-check-translations-git-tag-git-push-targets.patch
  git am -i --signoff
/tmp/0002-pidgin-otr-add-new-compiler-and-linker-hardening-options.patch

Paul - can you test on Mac OS X, RedHat and other platforms that these
patches are fine from your perspective?

All the best,
Jake

P.S.

I noticed that the translations aren't quite checking out...

 % make check-translations
msgfmt -c --check-accelerators=_ po/*.po
po/de.po:8: duplicate message definition...
po/ar.po:10: ...this is the location of the first definition
po/de.po:23: duplicate message definition...
po/ar.po:64: ...this is the location of the first definition
po/de.po:63: duplicate message definition...
po/ar.po:45: ...this is the location of the first definition
po/de.po:72: duplicate message definition...
po/ar.po:49: ...this is the location of the first definition
po/de.po:89: duplicate message definition...
po/ar.po:176: ...this is the location of the first definition
po/de.po:107: duplicate message definition...
po/ar.po:205: ...this is the location of the first definition
po/de.po:113: duplicate message definition...
po/ar.po:98: ...this is the location of the first definition
po/de.po:118: duplicate message definition...
po/ar.po:215: ...this is the location of the first definition
po/de.po:166: duplicate message definition...
po/ar.po:76: ...this is the location of the first definition
po/de.po:184: duplicate message definition...
po/ar.po:84: ...this is the location of the first definition
po/de.po:188: duplicate message definition...
po/ar.po:88: ...this is the location of the first definition
po/de.po:194: duplicate message definition...
po/ar.po:104: ...this is the location of the first definition
po/de.po:199: duplicate message definition...
po/ar.po:109: ...this is the location of the first definition
po/de.po:204: duplicate message definition...
po/ar.po:114: ...this is the location of the first definition
po/de.po:213: duplicate message definition...
po/ar.po:119: ...this is the location of the first definition
po/de.po:222: duplicate message definition...
po/ar.po:124: ...this is the location of the first definition
po/de.po:227: duplicate message definition...
po/ar.po:129: ...this is the location of the first definition
po/de.po:232: duplicate message definition...
po/ar.po:134: ...this is the location of the first definition
po/de.po:236: duplicate message definition...
po/ar.po:139: ...this is the location of the first definition
po/de.po:248: duplicate message definition...
po/ar.po:159: ...this is the location of the first definition
po/de.po:253: duplicate message definition...
po/ar.po:163: ...this is the location of the first definition
po/de.po:258: duplicate message definition...
po/ar.po:167: ...this is the location of the first definition
po/de.po:264: duplicate message definition...
po/ar.po:172: ...this is the location of the first definition
po/de.po:269: duplicate message definition...
po/ar.po:201: ...this is the location of the first definition
po/de.po:292: duplicate message definition...
po/ar.po:180: ...this is the location of the first definition
po/de.po:300: duplicate message definition...
po/ar.po:225: ...this is the location of the first definition
po/de.po:310: duplicate message definition...
po/ar.po:230: ...this is the location of the first definition
po/de.po:318: duplicate message definition...
po/ar.po:243: ...this is the location of the first definition
po/de.po:322: duplicate message definition...
po/ar.po:247: ...this is the location of the first definition
po/de.po:334: duplicate message definition...
po/ar.po:251: ...this is the location of the first definition
po/de.po:357: duplicate message definition...
po/ar.po:273: ...this is the location of the first definition
po/de.po:381: duplicate message definition...
po/ar.po:278: ...this is the location of the first definition
po/de.po:386: duplicate message definition...
po/ar.po:283: ...this is the location of the first definition
po/de.po:394: duplicate message definition...
po/ar.po:288: ...this is the location of the first definition
po/de.po:399: duplicate message definition...
po/ar.po:293: ...this is the location of the first definition
po/de.po:410: duplicate message definition...
po/ar.po:300: ...this is the location of the first definition
po/de.po:415: duplicate message definition...
po/ar.po:305: ...this is the location of the first definition
po/de.po:420: duplicate message definition...
po/ar.po:310: ...this is the location of the first definition
po/de.po:424: duplicate message definition...
po/ar.po:151: ...this is the location of the first definition
po/de.po:428: duplicate message definition...
po/ar.po:155: ...this is the location of the first definition
po/de.po:436: duplicate message definition...
po/ar.po:335: ...this is the location of the first definition
po/de.po:444: duplicate message definition...
po/ar.po:26: ...this is the location of the first definition
po/de.po:448: duplicate message definition...
po/ar.po:322: ...this is the location of the first definition
po/de.po:493: duplicate message definition...
po/ar.po:318: ...this is the location of the first definition
po/de.po:498: duplicate message definition...
po/ar.po:340: ...this is the location of the first definition
po/de.po:503: duplicate message definition...
po/ar.po:345: ...this is the location of the first definition
po/de.po:508: duplicate message definition...
po/ar.po:350: ...this is the location of the first definition
po/de.po:512: duplicate message definition...
po/ar.po:354: ...this is the location of the first definition
po/de.po:516: duplicate message definition...
po/ar.po:358: ...this is the location of the first definition
po/de.po:520: duplicate message definition...
po/ar.po:362: ...this is the location of the first definition
po/de.po:524: duplicate message definition...
po/ar.po:366: ...this is the location of the first definition
po/de.po:528: duplicate message definition...
po/ar.po:370: ...this is the location of the first definition
po/de.po:532: duplicate message definition...
po/ar.po:374: ...this is the location of the first definition
po/de.po:536: duplicate message definition...
po/ar.po:378: ...this is the location of the first definition
po/de.po:544: duplicate message definition...
po/ar.po:382: ...this is the location of the first definition
po/de.po:548: duplicate message definition...
po/ar.po:386: ...this is the location of the first definition
po/de.po:552: duplicate message definition...
po/ar.po:390: ...this is the location of the first definition
po/de.po:556: duplicate message definition...
po/ar.po:394: ...this is the location of the first definition
po/de.po:564: duplicate message definition...
po/ar.po:398: ...this is the location of the first definition
po/de.po:568: duplicate message definition...
po/ar.po:402: ...this is the location of the first definition
po/de.po:572: duplicate message definition...
po/ar.po:406: ...this is the location of the first definition
po/de.po:576: duplicate message definition...
po/ar.po:410: ...this is the location of the first definition
po/de.po:580: duplicate message definition...
po/ar.po:414: ...this is the location of the first definition
po/de.po:584: duplicate message definition...
po/ar.po:418: ...this is the location of the first definition
po/de.po:588: duplicate message definition...
po/ar.po:422: ...this is the location of the first definition
po/de.po:592: duplicate message definition...
po/ar.po:426: ...this is the location of the first definition
po/de.po:596: duplicate message definition...
po/ar.po:430: ...this is the location of the first definition
po/de.po:600: duplicate message definition...
po/ar.po:434: ...this is the location of the first definition
po/de.po:604: duplicate message definition...
po/ar.po:439: ...this is the location of the first definition
po/de.po:610: duplicate message definition...
po/ar.po:445: ...this is the location of the first definition
po/de.po:615: duplicate message definition...
po/ar.po:450: ...this is the location of the first definition
po/de.po:620: duplicate message definition...
po/ar.po:455: ...this is the location of the first definition
po/de.po:624: duplicate message definition...
po/ar.po:459: ...this is the location of the first definition
po/de.po:629: duplicate message definition...
po/ar.po:464: ...this is the location of the first definition
po/de.po:634: duplicate message definition...
po/ar.po:469: ...this is the location of the first definition
po/de.po:639: duplicate message definition...
po/ar.po:474: ...this is the location of the first definition
po/de.po:643: duplicate message definition...
po/ar.po:478: ...this is the location of the first definition
po/de.po:872: duplicate message definition...
po/ar.po:482: ...this is the location of the first definition
po/de.po:876: duplicate message definition...
po/ar.po:486: ...this is the location of the first definition
po/de.po:880: duplicate message definition...
po/ar.po:490: ...this is the location of the first definition
po/de.po:889: duplicate message definition...
po/ar.po:495: ...this is the location of the first definition
po/de.po:893: duplicate message definition...
po/ar.po:499: ...this is the location of the first definition
msgfmt: po/de.po: warning: PO file header missing or invalid
                  warning: charset conversion will not work
msgfmt: found 83 fatal errors
make: *** [check-translations] Error 1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libotr-Makefile.am.patch
Type: text/x-patch
Size: 357 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20120710/eeaa035a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libotr-autoconf-hardening.patch
Type: text/x-patch
Size: 4362 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20120710/eeaa035a/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin-otr-4.0.0-beta2-Makefile.am.patch
Type: text/x-patch
Size: 549 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20120710/eeaa035a/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin-otr-4.0.0-beta2-autoconf-hardening.patch
Type: text/x-patch
Size: 4297 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20120710/eeaa035a/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-pidgin-otr-Add-new-compiler-and-linker-hardening-options.patch
Type: text/x-patch
Size: 4913 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20120710/eeaa035a/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-pidgin-otr-Add-check-translations-git-tag-git-push-targets.patch
Type: text/x-patch
Size: 1069 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20120710/eeaa035a/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20120710/eeaa035a/attachment.pgp>


More information about the OTR-users mailing list