2008-10-04 01:14:57

courier-authlib: how not to use libtool

Due to security issues with the old version, I upgraded courier-authlib to version 0.61.0. In the course of the upgrade, I discovered a number of library related weirdlesses, though.

The symptom was that /usr/pksrc/lib/courier-authlib/libcourierauth.so.0 was a symlink on libcourier.auth.so rather than the other way around. Closer inspection of the Makefile showed that evidently someone had a very weird understanding of libtool.

The .la rules all contianed the flag -avoid-version, removing the .0.0 version suffix from the library version. However, it seems that the authors nevertheless wanted these suffixes, so they re-added them using the for loop:

for f in $(pkglib_LTLIBRARIES); do . $$f; rm -f $(DESTDIR)$(pkglibdir)/$$dlname.0 $(DESTDIR)$(pkglibdir)/$$dlname.0.0; ln -s $$dlname $(DESTDIR)$(pkglibdir)/$$dlname.0; done

This line reads every .la file as a shell script and tries to symlink the unversioned library to the versioned one, since the addition of -avoid-version prevents libtool --mode=install from taking care of the symlinks themselves. Even worse, on some platforms these versioned files should not even exist. It only ever works by pure chance.

This is just one of the countless ways people found to abuse libtool in horrible ways to break portability. It seems that the funniest part about libtool is the number of ways in which people don't understand it.

Posted by Tonnerre Lombard | Permanent link | File under: programming