[civetweb] download instead of bundle, bump from 1.15 to 1.16, and define proper CMake target#21947
[civetweb] download instead of bundle, bump from 1.15 to 1.16, and define proper CMake target#21947ferdymercury wants to merge 43 commits intoroot-project:masterfrom
Conversation
Test Results 22 files 22 suites 3d 13h 0m 11s ⏱️ For more details on these failures, see this check. Results for commit be0cde1. ♻️ This comment has been updated with latest results. |
| ${FASTCGI_LIBRARY} | ||
| ${CMAKE_DL_LIBS} | ||
| civetweb::civetweb | ||
| DEPENDENCIES |
There was a problem hiding this comment.
TO-DO: discuss if builtin_civetweb=OFF should be discouraged, by emitting a warning or better describing ROotBuildOptions text.
See discussion root-project/root-ci-images#110 (comment)
ferdymercury
added
the
skip code analysis
|
@linev for Fedora we'd need root-project/root-ci-images#111 |
| endif() | ||
| endif() | ||
| if (NOT builtin_civetweb) | ||
| target_compile_definitions(civetweb::civetweb INTERFACE _EXTERNAL_CIVETWEB) # temporary hack for: with external civetweb one gets failure R__memcompress |
There was a problem hiding this comment.
TO-DO investigate
|
@linev do you have a Mac where you could try out this PR ? It's the only platform failing, with error:
Could you run |
Compilation with builtin_openssl probably just worked fine because it picked system-wide openssl headers rather than the builtin ones. Found out while investigating failures in root-project#21947
|
Finally! Compilation failures on Mac solved, now builds on all platforms. |
|
@linev you mentioned that on some platforms the system-civetweb was not stable. Do you remember which platforms that was or how we can test the current status? Was it running a specific test? Do you remember exactly which ones? I see opensuse having these flags: and Debian here has some extra patches on 1.16 https://sources.debian.org/patches/civetweb/1.16+dfsg-4/ It looks like Debian 1.16 patches contain some fixes for DoS attacks and CVEs, so I think it would be beneficial if we switched to builtin_civetweb=OFF At least on the platforms where you are not aware of crashes. |
|
This was my attempt to make OpenSUSE package better. This is main problem for me - even I think all necessary flags are provided something is still wrong. |
|
Thanks for the feedback. |
It crashed when used with |
Ok, thanks. What can be worrying is that users downloading the release binaries are (most of them unknowingly) using a builtin civetweb, even if they installed libcivetweb-dev. There are known vulnerabilities in civetweb. Once the maintainer releases version 1.17, users having installed the system pacakge would (soonish) automatically get security updates for but ROOT 6.40 downloaded from binaries would still be (unknowingly) vulnerable for maybe a long time.
It could be useful if we document in the code or in a GH issue which platforms and what civetweb versions they were using to keep track of when this potentially gets solved. That way, we can then say find_package(civetweb 1.17) else use builtin. In my opinion, we should also add patches from CVE vulnerabilities to the builtin version as soon as possible on top of this PR. |
3 participants
No description provided.