borgbackup
openindiana: xxhash package missing, openssl not found via pkg-config
master branch:
Needs (because openssl is not found via pkg-config):
export BORG_OPENSSL_PREFIX=/usr/openssl/1.1
Also, the borgbackup build fails, because it can not find xxhash.h, because there is no (lib)xxh(ash) package available for OI.
As I removed the bundled 3rd party code from borg 1.4-maint branch, the xxhash issue will also apply to borg 1.4 release (soon!).
Openindiana packagers:
Please package xxhash and make sure pkg-config works for xxhash and openssl.
Alright. I got a beta package produced quite easily. Libxxhash is now in review to be integrated at https://github.com/OpenIndiana/oi-userland/pull/16459 and should soon (a day or so) land
The pkgconfig variables are actually being resolved, however we are using a IPS feature people from other operating-system do not know to separate all out openssl versions, called mediators. Before you can build you have to run pfexec pkg set-mediator -V 3.1 openssl after that pkgconfig finds a compatible openssl.
Since I do not know how to produce a viable release tarball I had to hack the borgbackup package a bit. Once a release is published we can update the package. See https://github.com/Toasterson/oi-userland/tree/borgbackup/140beta2 for reference.
@Toasterson Thanks for working on this and also for the set-mediator hint, I really didn't know about that (but borg has a workaround via an env var for cases when pkg-config doesn't work, so I used that).
I'll update the vagrant box I use soon, so maybe borg 1.4.0b2 can get the usual platform testing I do with that before it gets released.
@Toasterson I left some comments there: https://github.com/Toasterson/oi-userland/commit/f3b5ad4b1ff5448a3d93512899742dcbe4603f76
@Toasterson Is that your OI box?:
https://app.vagrantup.com/openindiana/boxes/hipster
Yes, and the OpenIndiana Official one :) I am currently updating it, the only thing it will need is an update and reboot for the new Boot environment to become active.
xxhash landed in hipster:
http://pkg.openindiana.org/hipster/info/0/library%2Flibxxhash%400.8.2%2C5.11-2024.0.0.1%3A20240312T202057Z
Now only the vagrant box update is missing. ;-)
They where published quite some time ago :) And I rebuilt the vagrant box again. So that works now aswell.
So you still need to upload it there, right?
https://app.vagrantup.com/openindiana/boxes/hipster
Yes, but it's a bit wonky. I found the one I made two weeks ago. And there were very old versions I thought I deleted. I cleaned it up, should help already. The new one should be visible soon. The Twoo weeks old one works aswell :)
OK, now there is v202403 released 15d ago (this was not visible to me when I looked a few hours ago).
So, what is the version number of the latest version?
Uhoh, that's the backdoored xz version:
http://pkg.openindiana.org/hipster/info/0/compress%2Fxz%405.6.1%2C5.11-2024.0.0.0%3A20240311T222914Z
https://www.cve.org/CVERecord?id=CVE-2024-3094
OK, now there is v202403 released 15d ago (this was not visible to me when I looked a few hours ago).
Yep it was hidden beneath Versions that I thought I deleted. This is the latest version yes. The run today will have updated this version.
Uhoh, that's the backdoored xz version:
No, fortunately, the vuln didn't make it into the built binary. Looks like our OS was too exotic.
BTW, I tested borg 1.2.8 on openindiana (using your box and libxxhash, thanks!), it worked.