[CentOS] Glibc sources?

Mon Mar 2 17:15:24 UTC 2015
Johnny Hughes <johnny at centos.org>

On 03/02/2015 11:00 AM, Johnny Hughes wrote:
> On 03/02/2015 10:38 AM, ANDY KENNEDY wrote:
>>>> I'm tasked with reconstructing the CentOS version of the GlibC library for testing with
>>>> gethostbyname().  My mission is to show that we are not affected by the latest exploit for
>>>> the product we are shipping targeted for RHEL and CentOS.  To do so, I want to equip
>>>> gethostbyname() with additional code.
>>>
>>> Do you plan on shipping this updated glibc as part of the product, or is
>>> this simply for testing? If you plan to distribute/ship an updated
>>> glibc, that's probably going to raise a few eyebrows and anger a few
>>> sysadmins.
>>
>> No release.  Only testing.
>>
> 
> Also, please be advised that rebuilding a package and then trying to
> compare it to something else built earlier is likely not going to work
> unless you can duplicate the exact set of packages that are installed in
> the build root at the time of the build.  Even then, with documentation
> generation, you STILL might not get an exact, bit for bit, match when
> building later.
> 
> It is almost impossible to duplicate a closed and staged build system
> for a give date unless you are trying very hard to do so.
> 
>>>
>>>> My objective is to rebuild from source the EXACT version of GlibC for CentOS 6.6.
>>>> Afterwards, I will make my changes in the code, rebuild and complete my testing.
>>>>
> 
> ^^ That would likely be impossible to accomplish. See my comments above.
> 
> <snip>


The list of packages that were in the "mock build root" for our build of
the glibc-2.12-1.149.el6_6.5.x86_64.src.rpm is here:

http://ur1.ca/ju24m

To get close to an exact match, you need to use mock and use the
packages listed above (and only those versions) if you are trying to get
a build that matches what we built.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20150302/4ef64264/attachment-0005.sig>