Opened 4 years ago

Closed 4 years ago

#60583 closed enhancement (fixed)

gnupg2 @2.2.20_0: Make +openldap variant non-default

Reported by: michi-zuri (Michael Paul Killian) Owned by: roederja
Priority: Low Milestone:
Component: ports Version: 2.6.2
Keywords: Cc: Ionic (Mihai Moldovan)
Port: gnupg2

Description

When I installed duplicity on my macOS 10.13 system I encountered the following warning message that led me down a rabbit hole:

Warning: couldn't find file '/opt/local/var/run/openldap-data/.turd_openldap' for port 'openldap'. Please deactivate and reactivate the port to fix this issue.

I managed to disable the warning by creating an empty .turd_openldap file with readable permissions, but it left me wondering why gnupg2 needs openldap by default at all? Is it actually used by anything if the user does not manually configure openldap?

I went ahead and reinstalled gnupg2 with the -openldap variant, since I am not intending to do any configuration for openldap myself. Could anyone confirm though that openldap is only used if configured, or am I missing out on some magic behind the curtains now?

If my assumptions are correct, I would propose to make openldap an opt-in variant of gnupg2, rather than opt-out.

Change History (4)

comment:1 in reply to:  description Changed 4 years ago by ryandesign (Ryan Carsten Schmidt)

Cc: Ionic added
Owner: set to roederja
Status: newassigned
Summary: gnupg2 @2.2.20_0gnupg2 @2.2.20_0: Make +openldap variant non-default

Replying to michi-zuri:

When I installed duplicity on my macOS 10.13 system I encountered the following warning message that led me down a rabbit hole:

Warning: couldn't find file '/opt/local/var/run/openldap-data/.turd_openldap' for port 'openldap'. Please deactivate and reactivate the port to fix this issue.

I managed to disable the warning by creating an empty .turd_openldap file with readable permissions,

I can't explain why the .turd_openldap file was missing for you. It should have been there. Its presence just makes sure that MacPorts doesn't consider the directory empty and delete it. Deactivating and reactivating the port as suggested by the warning should have brought the file back.

but it left me wondering why gnupg2 needs openldap by default at all? Is it actually used by anything if the user does not manually configure openldap?

I went ahead and reinstalled gnupg2 with the -openldap variant, since I am not intending to do any configuration for openldap myself. Could anyone confirm though that openldap is only used if configured, or am I missing out on some magic behind the curtains now?

If my assumptions are correct, I would propose to make openldap an opt-in variant of gnupg2, rather than opt-out.

There is extensive prior discussion on this matter in the pull request that changed the openldap dependency from mandatory to a variant:

https://github.com/macports/macports-ports/pull/2625

Many argued that they did not need openldap support in gnupg2 and that it should be moved to a variant and that the variant should not be enabled by default. This would have the additional advantage that the gnupg2 port would become distributable. One of the maintainers of the port argued against the creation of the variant at all but eventually accepted the variant if it was enabled by default. The other maintainer did not comment.

comment:2 Changed 4 years ago by Ionic (Mihai Moldovan)

Uh, I totally missed that, but generally I don't see a huge benefit to depending upon openldap for GPG.

I've never needed it on my Linux-based systems, but then again I've never used LDAP to begin with.

To be fair, the problem discussed in this PR seems to stem from the openldap port *and* a non-standard installation, so I can see why Jan was reluctant to change anything in the gnupg port. If the openldap port breaks, that one should be fixed.

But, as said, I also don't see a huge benefit in having the OpenLDAP-integration within gnupg. If this taints redistribution, even worse.

Variants are definitely a two-sided sword. They are both powerful, but also too powerful (well, that's really a shortcoming of Portfiles being TCL scripts), but any non-standard variant will also make people have to build software on their machines instead of using pre-built packages, mostly due to combinatorial explosion. I.e., for n variants, there are 2n possible combinations, which would be crazy to build.

I'd be in favor of making the OpenLDAP-integration fully optional.

Last edited 4 years ago by Ionic (Mihai Moldovan) (previous) (diff)

comment:3 Changed 4 years ago by neverpanic (Clemens Lang)

In d644837344a9c30b587899a9b58c5b249a666e09/macports-ports (master):

gnupg2: Update to 2.2.25, fix +openldap on Big Sur

Update gnupg2 to the latest version 2.2.25.

| Noteworthy changes in version 2.2.25
| ====================================
|
| * scd: Fix regression in 2.2.24 requiring gpg --card-status before
| signing or decrypting.
| https://dev.gnupg.org/T5065
|
| * gpgsm: Using Libksba 1.5.0 signatures with a rarely used
| combination of attributes can now be verified.
| https://dev.gnupg.org/T5146
|
| Release-info: https://dev.gnupg.org/T5140

Additionally, fix a failure to correctly compile against OpenLDAP when
+openldap is enabled (which is the default) due to
-Werror=implicit-function-declaration.

| conftest.c:84:1: error: implicit declaration of function 'ldap_open' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
| ldap_open("foobar",1234);
|
| conftest.c:84:1: note: did you mean 'ldap_turn'?
| /opt/local/include/ldap.h:2097:1: note: 'ldap_turn' declared here
| ldap_turn LDAP_P(( LDAP *ld,
|

| 1 error generated.

This happens because the configure script checks for ldap_open(3), which
was deprecated 20 years ago in [1], and hidden behind a preprocessor
define 16 years ago in [2]. With -Werror=implicit-function-declaration,
the unavailability of the function declaration makes the configure test
fail and gnupg2 build without LDAP support.

Fix this by adding -DLDAP_DEPRECATED=1 to the preprocessor flags, which
makes the configure test pass again. This is a stop-gap measure, and if
the LDAP support in gnupg depends on code that was deprecated 16 years
ago, maybe it should just be disabled, or at least removed from the
default variants.

[1]: https://git.openldap.org/openldap/openldap/-/commit/5417fdfea7004888c3f40840f8ed1c29fa738581
[2]: https://git.openldap.org/openldap/openldap/-/commit/4d29df5bd1fabcdc50975651c746365686b62b53

See: #60583
See: https://github.com/macports/macports-ports/pull/2625
See: https://github.com/macports/macports-ports/pull/3214

comment:4 Changed 4 years ago by neverpanic (Clemens Lang)

Resolution: fixed
Status: assignedclosed

In 2e94eba2c78426523fed53aa7b562b3fe18ea8de/macports-ports (master):

gnupg2: Remove +openldap from default variants

Both maintainers agree that this is the way to go:

Closes: #60583

Note: See TracTickets for help on using tickets.