Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#568601: netatalk: PAM DHX2: libgcrypt versions mismatch

57 views
Skip to first unread message

Yuxuan Wang

unread,
Feb 5, 2010, 9:10:01 PM2/5/10
to
Package: netatalk
Version: 2.0.5-3
Severity: important


after upgrade, the dhx2 auth is unusable, got the following log in
syslog:

afpd[25514]: PAM DHX2: libgcrypt versions mismatch. Need: 3086019268
afpd[25514]: DHX2: Couldn't generate p and g

looks like it's built against a different version of libgcrypt that
squeeze provides.

-- System Information:
Debian Release: squeeze/sid
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages netatalk depends on:
ii libc6 2.10.2-2 GNU C Library: Shared libraries
ii libcomerr2 1.41.9-1 common error description library
ii libcrack2 2.8.15-6+b1 pro-active password checker librar
ii libcups2 1.4.2-4 Common UNIX Printing System(tm) -
ii libdb4.8 4.8.26-1 Berkeley v4.8 Database Libraries [
ii libgcrypt11 1.4.4-6 LGPL Crypto library - runtime libr
ii libgnutls26 2.8.5-2 the GNU TLS library - runtime libr
ii libgssapi-krb5-2 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - k
ii libk5crypto3 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries
ii libpam-modules 1.1.0-4 Pluggable Authentication Modules f
ii libpam0g 1.1.0-4 Pluggable Authentication Modules l
ii libwrap0 7.6.q-18 Wietse Venema's TCP wrappers libra
ii netbase 4.40 Basic TCP/IP networking system
ii perl 5.10.1-9 Larry Wall's Practical Extraction
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages netatalk recommends:
ii cracklib-runtime 2.8.15-6+b1 runtime support for password check
ii db4.8-util 4.8.26-1 Berkeley v4.8 Database Utilities
ii libpam-cracklib 1.1.0-4 PAM module to enable cracklib supp
ii lsof 4.81.dfsg.1-1 List open files
ii procps 1:3.2.8-2 /proc file system utilities
ii rc 1.7.1-3 an implementation of the AT&T Plan

Versions of packages netatalk suggests:
pn db4.2-util <none> (no description available)
pn db4.7-util <none> (no description available)
pn groff <none> (no description available)
pn quota <none> (no description available)
ii texlive-binaries [texlive-bas 2009-5 Binaries for TeX Live

-- no debconf information

--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Frank Lahm

unread,
Feb 7, 2010, 7:20:02 AM2/7/10
to
2010/2/6 Yuxuan Wang <fish...@gmail.com>:

> Package: netatalk
> Version: 2.0.5-3
> Severity: important
>
>
> after upgrade, the dhx2 auth is unusable, got the following log in
> syslog:
>
> afpd[25514]: PAM DHX2: libgcrypt versions mismatch. Need: 3086019268

It's trying to complain that the installed libgcrypt version is older
then the one used at compile time. Unfortunately the printf format
string has a %u instead of a %s so the "Need: X" is garbage. This has
already been adressed in Netatalk CVS.

I can't really give you a clue or tell if and how the Debian package
has a problem. You might try to install a newer version of libgcrypt
somehow.

Hth,
Frank, Netatalk Dev.

fishy

unread,
Feb 7, 2010, 7:40:03 AM2/7/10
to
Manually upgrade libgcrypt11 to 1.4.5-2 fixed this problem, thanks.

--
regards,
fishy

Jonas Smedegaard

unread,
Feb 7, 2010, 7:40:03 AM2/7/10
to
On Sun, Feb 07, 2010 at 01:11:11PM +0100, Frank Lahm wrote:
>2010/2/6 Yuxuan Wang <fish...@gmail.com>:
>> after upgrade, the dhx2 auth is unusable, got the following log in
>> syslog:
>>
>> afpd[25514]: PAM DHX2: libgcrypt versions mismatch. Need: 3086019268

Thanks for the bugreport, Youxuan!


>It's trying to complain that the installed libgcrypt version is older
>then the one used at compile time. Unfortunately the printf format
>string has a %u instead of a %s so the "Need: X" is garbage. This has
>already been adressed in Netatalk CVS.

Thanks for the

I guess the fix is to spit out an improved error message, not somehow
making netatalk more flexible about libgrcrypt version, right Frank?


>I can't really give you a clue or tell if and how the Debian package
>has a problem. You might try to install a newer version of libgcrypt
>somehow.

The Debian package has a problem in not declaring tight enough package
dependencies: Instead of a broken installation, the package should
refuse to install if a properly working libgcrypt could not be ensured
to also be available on the installed system. Such refusal could then
get detected by distrowide metatools to report when the package needed
to be recompiled.

Hope that clarifies :-)


@Youxuan: I agree with you on the urgency of this bugreport. Thanks
again!


- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private

signature.asc

Frank Lahm

unread,
Feb 7, 2010, 7:50:01 AM2/7/10
to
Hi Jonas,

2010/2/7 Jonas Smedegaard <d...@jones.dk>:


> On Sun, Feb 07, 2010 at 01:11:11PM +0100, Frank Lahm wrote:
>>
>> 2010/2/6 Yuxuan Wang <fish...@gmail.com>:
>>>
>>> after upgrade, the dhx2 auth is unusable, got the following log in
>>> syslog:
>>>
>>> afpd[25514]: PAM DHX2: libgcrypt versions mismatch. Need: 3086019268
>
> Thanks for the bugreport, Youxuan!
>
>
>> It's trying to complain that the installed libgcrypt version is older then
>> the one used at compile time. Unfortunately the printf format string has a
>> %u instead of a %s so the "Need: X" is garbage. This has already been
>> adressed in Netatalk CVS.
>
> Thanks for the
> I guess the fix is to spit out an improved error message, not somehow making
> netatalk more flexible about libgrcrypt version, right Frank?

I'm not sure what you're implying or asking here. The next version of
Netatalk will in this case ouput "Need
COMPILE_TIME_VERSION_AS_STRING".
Netatalk can't be "more flexible" about this requirement, because if
afpd has been compiled with version x.y.z, it is a requirement that
the installed version _at least_ is a high. It can be higher though of
course.

Regards!
-Frank

Matijs van Zuijlen

unread,
Nov 30, 2023, 9:10:05 AM11/30/23
to
Dear maintainer,

This problem still exists. I installed netatalk from testing on a Debian
server running stable, and libgcrypt was not updated at the same time
because the dependency in the netatalk package specifies '>= 1.10.0',
which matches the stable version 1.10.1, while testing's netatalk
actually needs libgcrypt 1.10.2. This lead to a flood of errors in the
logs. Updating the libgcrypt package to the testing version (1.10.2)
fixed that problem.

As far as I can tell, the solution would be for the netatalk package to
depend on (at least?) the libgcrypt version it was compiled with.

--
Kind regards,
Matijs van Zuijlen

Daniel Markstedt

unread,
Nov 30, 2023, 6:50:06 PM11/30/23
to
Hi Matijs,

This is not something we can address in the netatalk package itself, since you're using an Unstable netatalk package with a Stable Debian version. (Netatalk was dropped from Debian 12 Bookworm.)

See this upstream discussion for more details: https://github.com/Netatalk/netatalk/discussions/574


Best regards,
Daniel
> --
> pkg-netatalk-devel mailing list
> pkg-netat...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-netatalk-devel

Matijs van Zuijlen

unread,
Dec 1, 2023, 4:20:05 AM12/1/23
to
Hi Daniel,

Indeed, I am running Debian stable on my server with just netatalk and
some of its dependencies from testing, so my setup is a bit unconventional.

This is in fact the case because Netatalk was dropped from Debian 12,
and I didn't want to keep running the old version which has a security
issue.

However, I think installing netatalk from any Debian version should
still pull in the correct version of libgcrypt. Isn't that something
that can be addressed in the netatalk package? I can imagine later
versions of netatalk would need still newer versions of libgcrypt. The
current dependency specification would fail to pull those in.

Kind regards,
Matijs van Zuijlen

Daniel Markstedt

unread,
Dec 1, 2023, 7:20:05 AM12/1/23
to
Hi Matijs,

I totally get your point and agree that this situation is not ideal.
Unfortunately, I don't think the exact dependent package version is something that we as package managers can or should hard code in this fashion.

Look at the "debian/control" file in the package repo:
https://salsa.debian.org/netatalk-team/netatalk/-/blob/debian/latest/debian/control#L20

See that "libgcrypt20-dev" is defined as a dependency without specifying a version.
It is actually debbuild (I think) that resolves the exact version dependency when it builds the package for a particular Debian version.

Hence, when debbuild builds a package for Bookworm Stable, the dependency resolves as libgcrypt20-dev==1.10.1 and when it's built for Unstable it gets resolved as libgcrypt20-dev==1.10.2.

So when you install the Unstable package on Bookworm you run into this dependency problem with libgcrypt20-dev.

Someone who knows Debian better could correct me if I'm wrong. :)

Does this make sense?

Daniel
0 new messages