#502 Temporary exception for DHCP being built using bundled BIND libraries in Fedora 22+
Closed: Fixed None Opened 6 years ago by thozza.

This is a request for exception to build ISC DHCP server and client using bundled BIND version in Fedora 22 and later, until ISC DHCP is ported to work with BIND 9.10.x libraries.

== Answers to standard questions:

==== Has the library behaviour been modified? If so, how has it been modified? If the library has been modified in ways that change the API or behaviour then there may be a case for copying. Note that fixing bugs is not grounds to copy. If the library has not been modified (ie: it can be used verbatim in the distro) there's little chance of an exception.

Since BIND 9.10 major version the BIND libraries were modified in a way, that only one unified version is built, which should be used by BIND and also any other software (e.g. ISC DHCP). Previously a special version (<libname>-export.so) of libraries has been built, which was used by other software and was not the same as libraries used by BIND.
The difference is mainly that the unified version of libraries uses epoll and threads by default. This makes the DHCP client and server not to work when runing in the background (demonized). If running in foreground, both client and server has to be "kill -9"-ed to stop them.
Upstream (ISC) distributes the DHCP with bundled latest version of BIND 9.9.x, which libraries are built as part of DHCP build process. In Fedora we are removing the BIND from DHCP archive and are building DHCP against system version of BIND libraries to conform to Fedora packaging guidelines. With the latest major version (9.10) of BIND, this is impossible.
Please note that we want the latest major version of BIND in Fedora, since it provides a native PKCS#11 interface, which is used by FreeIPA project. Although the functionality has been backported by Fedora maintainer also to BIND 9.9.x version, it is a 22k lines patch, which breaks on every package rebase.

==== Why haven't the changes been pushed to the upstream library? If no attempt has been made to push the changes upstream, we shouldn't be supporting people forking out of laziness.

This issue has been discussed with upstream, which is well aware of it. The cause of this issue is that upstream didn't have enough time to port DHCP to the BIND 9.10 version of libraries before releasing BIND. They will have to finish it eventually, however there is no estimate or specific schedule when DHCP will be ported to the BIND 9.10 librarties. There is a high possibility that until BIND 9.9.x goes EOL completely, this won't happen.
https://lists.isc.org/pipermail/bind-users/2015-February/094636.html
Please note that both BIND and DHCP are developed by the same organization ISC (isc.org).

==== Have the changes been proposed to the Fedora package maintainer for the library? In some cases it may make sense for our package to take the changes despite upstream not taking them (for instance, if upstream for the library is dead).

All changes and possibilities have been discussed with and tried by the library (BIND component) owner and also by the DHCP component owner.
Possibilities and the outcome is stated in BIND 9.10 Fedora 22 System Wide Change bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1181562

==== Could we make the forked version the canonical version within Fedora? For instance, if upstream for the library is dead, is the package we're working on that bundles willing to make their fork a library that others can link against?

No, we want DHCP to be statically built against bundled BIND version and not to include or package the BIND libraries. Note that other dependent software (dnsperf and bind-dyndb-ldap) is built against BIND 9.10 version of libraries and will still be built in such a way.

==== Are the changes useful to consumers other than the bundling application? If so why aren't we proposing that the library be released as a fork of the upstream library?

The bundling is not useful for any other application. This is a temporary solution until DHCP is ported to run with BIND 9.10 version of libraries. We don't want the bundled library to be used by any other application.

==== Is upstream keeping the base library updated or are they continuously one or more versions behind the latest upstream release?

Yes, the bundled BIND version is always the latest stable one. Also new DHCP upstream version is released on new BIND version. Note that the upstream is the same (ISC) for both, BIND and DHCP.

==== What is the attitude of upstream towards bundling? (Are they eager to remove the bundled version? are they engaged with the upstream for the library? Do they have a history of bundling? Are they argumentative?)

BIND has been bundled in ISC DHCP archive from the beginning, however in Fedora we have been building it against the system BIND libraries for past couple of years. Upstream will not stop bundling BIND, however as soon as they start bundling the 9.10.x version, we will unbundle the libraries again in Fedora and will use the system libraries.

==== Overview of the security ramifications of bundling

BIND has couple of CVEs a year, however these are mostly related to the DNS server/resolver itself and mostly don't affect the DHCP server/client. The DHCP server/client uses mostly parts for:
- Dynamic DNS updates when giving DHCP leases
- the configuration parser
- the main event loop code things related to it.
Also if there is BIND CVE which affects DHCP, the upstream releases new version of DHCP, which includes the fixed BIND. An example of such this is:
https://lists.isc.org/pipermail/dhcp-announce/attachments/20130326/8acd5ab8/attachment.txt

==== Does the maintainer of the Fedora package of the library being bundled have any comments about this?

The proposer of this is the maintainer of BIND package in Fedora and co-maintainer of DHCP package in Fedora. Also Jiri Popelka included in this ticket is the maintainer of DHCP package.
Unfortunately there are only bad options in this situation:
1. Build DHCP with bundled BIND
2. Revert the change of BIND in Fedora and ship the previous major version with giant patch due to FreeIPA.
Possibilities are listed here: https://bugzilla.redhat.com/show_bug.cgi?id=1181562

==== Is there a plan for unbundling the library at a later time? Include things like what features would need to be added to the upstream library, a timeline for when those features would be merged, how we're helping to meet those goals, etc.

Yes, however no specific schedule. As stated before, as soon as upstream starts bundling the 9.10.x version, we will unbundle the libraries again in Fedora and will use the system BIND libraries.

==== Please include any relevant documentation -- mailing list links, bug reports for upstream or the bundled library, etc.

BIND 9.10 Fedora Change bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1181562

Upstream discussion:
https://lists.isc.org/pipermail/bind-users/2015-February/094636.html

FESCo ticket for Changes status check:
https://fedorahosted.org/fesco/ticket/1416#comment:10

Log from FESCo tiecket, where possibiliries were discussed:
http://meetbot.fedoraproject.org/fedora-meeting/2015-02-25/fesco.2015-02-25-18.01.log.html


This came too late for our meeting today, but I've been thinking about this a bit. I understand the problem, but I'm not sure about the solution.

Some questions:

  • Is BIND 9.9 still maintained (i.e. receives bugfixes)?
  • If 9.9 is patched or altered in any way, does ISC immediately bump the DHCPD release?
  • Is it possible to package BIND 9.9 separately (not the whole resolver, but perhaps just the libraries) and have DHCPD use that?

Things are security-critical all around. If ISC is fixing up the bundled 9.9 sources whenever they make a change, I'd balance the bundling as being far preferable to carrying a 22k-line patch just so we can keep 9.9 around.

Replying to [comment:1 tibbs]:

This came too late for our meeting today, but I've been thinking about this a bit. I understand the problem, but I'm not sure about the solution.

Some questions:

  • Is BIND 9.9 still maintained (i.e. receives bugfixes)?

Yes, it is. Both major versions (9.9 and 9.10) are currently maintained. The 9.9 version is ESV (extended support version) meaning it will be available for quite some time.

  • If 9.9 is patched or altered in any way, does ISC immediately bump the DHCPD release?

Not always. E.g. the latest development version of DHCP 4.3.2rc2 was released at the same day the latest stable BIND 9.9.7 was (this week). However the latest stable DHCP 4.3.1 version includes the BIND 9.9.5-P1 which was released at the time DHCP 4.3.1 was.

As I stated earlier, if there is some security fix in BIND affecting DHCP, then new DHCP is released with fixed BIND version. If there are regular bug fixes that don't affect DHCP, most probably there will not be any unplanned update of DHCP. The latest released version of DHCP (stable/development) always includes the latest BIND available at that time.

  • Is it possible to package BIND 9.9 separately (not the whole resolver, but perhaps just the libraries) and have DHCPD use that?

We didn't investigate this option thoroughly enough. It should be definitely possible to build the whole BIND and then remove all unnecessary parts and package only those <libname>-export.so libraries. However I think there may be some conflicts between header files installed by BIND 9.9 and 9.10. Anyway this needs some more testing.

Things are security-critical all around. If ISC is fixing up the bundled 9.9 sources whenever they make a change, I'd balance the bundling as being far preferable to carrying a 22k-line patch just so we can keep 9.9 around.

Yes, we understand that. ISC is updating the bundled bind whenever new version of DHCP is released OR there is any CVE in BIND that affects also DHCP.

I created a minimal bind99 package, which contains only bind99-libs bind99-devel and bind99-license sub-packages. To prevent conflicts with system BIND 9.10 libraries and headers, all libs are installed into ''%{_libdir}/bind99'' and headers into ''%{_includedir}/bind99''. DHCP is built using those bind99 libraries. I also patched the Makefile, so just libraries are built (no binaries). I tested DHCP and is works, so this is definitely an option how to solve this situation.

SRPMs are here:
https://thozza.fedorapeople.org/bind99/

COPR repo:
http://copr-fe.cloud.fedoraproject.org/coprs/thozza/bind99-libs/

We discussed this at today's meeting (http://meetbot.fedoraproject.org/fedora-meeting-1/2015-03-05/fpc.2015-03-05-17.00.txt):

  • 502 Temporary exception for DHCP being built using bundled BIND


    libraries in Fedora 22+ (geppetto, 18:42:00)
  • LINK: https://fedorahosted.org/fpc/ticket/502 (geppetto, 18:42:06)
  • ACTION: CAn just close this, as it doesn't involve us anymore.
    (geppetto, 18:42:32)

Of course, feel free to reopen if the minimal bind99 package won't work for you.

Metadata Update from @thozza:
- Issue assigned to tibbs

4 years ago

Login to comment on this ticket.

Metadata