1. Forum
  2. Usenet
  3. COMP.LANG.ADA

  • Re: Anyone using AWS.Client in Fedora? You need Rawhide.

    From =?UTF-8?Q?Niocl=C3=A1i=C5=BF=C3=ADn@21:1/5 to All on Fri Dec 6 20:01:49 2024
    "[. . .]

    [. . .]
    [. . .] Furthermore, AWS 25 needs
    Gnatcoll 25, and as usual each new library version has a new soname.
    If we would push AWS 25 and Gnatcoll 25 as updates to Fedora 40 and 41,
    then any programs using Gnatcoll would stop working when users install
    the update, even if they have nothing to do with AWS. That would be bad."

    An electronic engineer who also used to be a GNU/Linux administrator had already perceived this problem of shared libraries in the Year 2006.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?B?QmrDtnJu?= Persson@21:1/5 to All on Fri Dec 6 19:45:39 2024
    Anyone who uses the client-side HTTPS functionality of the Ada Web
    Server library needs to know about CVE-2024-37015. HTTPS requests made
    with AWS.Client are vulnerable to monster-in-the-middle attacks.

    Here's the announcement from Adacore: https://docs.adacore.com/corp/security-advisories/SEC.AWS-0031-v2.pdf

    Although the vulnerability was disclosed in August, version 25.0.0 is
    the only public release that includes the fix. It is now finally
    available in Fedora, but only in Rawhide, the development version that
    will become Fedora 42.

    The fix comes with API changes that make it difficult to backport to
    older versions. That also means that programs using AWS will probably
    need to be adapted to use version 25. Furthermore, AWS 25 needs
    Gnatcoll 25, and as usual each new library version has a new soname.
    If we would push AWS 25 and Gnatcoll 25 as updates to Fedora 40 and 41,
    then any programs using Gnatcoll would stop working when users install
    the update, even if they have nothing to do with AWS. That would be bad.

    Thus, AWS.Client in Fedora 40 and 41 should not be used except on
    isolated networks where everything on the network is fully trusted.
    Only in Rawhide is AWS.Client suitable for use on the Internet.

    If you run programs in Fedora that use AWS.Client on the Internet, these
    are your options:

    1: Install Rawhide and follow the development version, accepting the
    instability and the higher maintenance burden, until Fedora 42 is
    released. Adapt your programs to the API changes in AWS 25. Recompile
    more or less all of your own programs. Expect further recompilations
    before the release date, such as when the soname of Libgnat will
    change some time in January.

    2: Download the source RPM packages of AWS 25 and Gnatcoll 25 from
    Rawhide, and compile them yourself on Fedora 41. Adapt your programs
    to the API changes, and also recompile anything that uses Gnatcoll.

    This situation is not how I wish it were, but there are limits to what packagers can do when the upstream developers don't make clean bugfix
    releases.

    Björn Persson

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Lawrence D'Oliveiro@21:1/5 to All on Fri Dec 6 20:15:29 2024
    On Fri, 6 Dec 2024 20:01:49 +0100, Niocláiſín Cóilín de Ġloſtéir wrote:

    [. . .] Furthermore, AWS 25 needs Gnatcoll 25, and as usual each new
    library version has a new soname.

    An electronic engineer who also used to be a GNU/Linux administrator had already perceived this problem of shared libraries in the Year 2006.

    Note the soname part. That only increments when there are backward- incompatible changes to the ABI. Otherwise you could install the new
    version, and existing compiled code would run against it just fine.

    Consider the transition in the Linux world from libc5 to GNU libc6. That happened over 20 years ago. Isn’t it time for libc7? No, because they have been able to keep all the changes backward-ABI-compatible so far.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?Niocl=C3=A1i=C5=BF=C3=ADn@21:1/5 to All on Fri Dec 6 22:55:43 2024
    This message is in MIME format. The first part should be readable text,
    while the remaining parts are likely unreadable without MIME-aware tools.

    On Fri, 6 Dec 2024, Björn Persson wrote:
    "Although the vulnerability was disclosed in August, version 25.0.0 is
    the only public release that includes the fix."

    ALIRE did not fail to disappoint me again today . . .
    alr get aws
    ⓘ Deploying aws=24.0.0...

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)