Commit Graph

31 Commits

Author SHA1 Message Date
Yarny0
69fcbeb49a tsm-client: 8.1.19.0 -> 8.1.20.0
"Update History" (release notes):
https://www.ibm.com/support/pages/node/6998343

At the time of this writing,
the list of fixed vulnerabilities is empty:
https://www.ibm.com/support/pages/node/7015829
2023-09-15 15:47:50 +02:00
Yarny0
a4b7a62532 tsm-client: update package metadata urls
Due to IBM renaming their product from
"IBM spectrum protect" to "IBM storage protect",
urls have changed and some of the old urls no longer work.
2023-07-02 08:36:59 +02:00
Yarny0
5ff5b2ae4c tsm-client: 8.1.17.2 -> 8.1.19.0
"Update History" (release notes):
https://www.ibm.com/support/pages/node/6998343

With this release, IBM renamed the product from
"IBM Spectrum Protect" to "IBM Storage Protect":
https://www.ibm.com/support/pages/node/6964770
However, URLs apparently haven't been changed (yet).
2023-06-17 10:31:30 +02:00
Yarny0
fca76c5810 tsm-client: fix absolute symlinks, drop openssl dependency
`tsm-client` is delivered with its
own `lib{crypto,ssl}.so` implementation.
Beginning with version 8.1.9.1, those `.so`-files came with
absolute symlinks to `/opt/...` causing `autoPatchelf`
to abort with error messages of the form

> error: auto-patchelf could not satisfy dependency libssl.so.1.1

I was under the impression that a new dependency
got introduced and added `openssl` to `builtInputs`
in commit 5ad0ecb901.
This fixed the build, but `tsm-client` no longer
linked against its own ssl implementation.

The commit at hand corrects that mistake:
It adds a small `preFixup` script that finds
and adapts absolute symlinks to `/opt/`,
so that `autoPatchelfHook` finds those
`so`-files again and sets RPATH properly.
This permits to drop `openssl` from the dependency list again.
2023-04-05 19:32:52 +02:00
Yarny0
941b891e26 tsm-client: use libxcrypt-legacy to fix build
Since commit 4e300e071b
building `tsm-client` fails with error messages

> error: auto-patchelf could not satisfy dependency libcrypt.so.1 wanted by [...]

Luckily, commit 9b766dd41b
introduces `libxcrypt-legacy` which again provides `libcrypt.so.1`.
2023-04-04 19:39:32 +02:00
Yarny0
211a963855 tsm-client: 8.1.17.0 -> 8.1.17.2
IBM's "Authorized Program Analysis Report"s
(something like release notes):

https://www.ibm.com/support/pages/node/6845804

Security Bulletins:

https://www.ibm.com/support/pages/node/6956237 (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517)
https://www.ibm.com/support/pages/node/6962863 (CVE-2021-33813)
https://www.ibm.com/support/pages/node/6963071 (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619)
https://www.ibm.com/support/pages/node/6963786 (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286)
https://www.ibm.com/support/pages/node/6963784 (CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217)
2023-03-19 21:04:21 +01:00
Yarny0
57c8c6c3d2 Revert "tsm-client: fix patching rpath with autoPatchelf"
This reverts commit 1ed9ba08f1.

After the underlying bug in `auto-patchelf.py` got fixed,
this workaround is no longer necessary.
2023-01-15 10:57:22 +01:00
Yarny0
2fbf439bf2 tsm-client: 8.1.15.1 -> 8.1.17.0
IBM's "Authorized Program Analysis Report"s
(something like release notes):

https://www.ibm.com/support/pages/node/6845804

README:

https://www.ibm.com/support/pages/node/617857#8117Readme

Security Bulletin:

https://www.ibm.com/support/pages/node/6842073 (CVE-2022-34165, CVE-2022-42003, CVE-2022-42004, CVE-2021-33813, CVE-2018-25032)

The security bulletin seem to require a login,
as it returns "403 Forbidden" at the time of this writing.
2022-12-10 19:03:43 +01:00
Yarny0
db63f9cb66 tsm-client: fix build with libxcrypt
After libcrypt support got dropped from `glibc`,
`libxcrypt` needs to be added to packages that still require it.

References:
https://github.com/NixOS/nixpkgs/pull/181764
ff30c899d8
2022-10-31 18:34:53 +01:00
Yarny0
cce8f0a3e3
tsm-client: 8.1.15.1 -> 8.1.15.2, pin openssl version (#193556) 2022-10-17 01:31:05 +02:00
Yarny0
5eaf0423eb tsm-client: 8.1.15.0 -> 8.1.15.1
IBM's "Authorized Program Analysis Report"s
(something like release notes):

https://www.ibm.com/support/pages/node/6590857

README:

https://www.ibm.com/support/pages/node/6593819

No Security Bulletins.

This also updates the version number and date in a comment.
The informations in the comment are still valid.
2022-08-13 08:26:28 +02:00
Yarny0
1132884a8d tsm-client: fix typo in comment 2022-08-13 08:26:28 +02:00
Yarny0
4f4aa9685a tsm-client: 8.1.14.0 -> 8.1.15.0
IBM's "Authorized Program Analysis Report"s
(something like release notes):

https://www.ibm.com/support/pages/node/6590857

README:

https://www.ibm.com/support/pages/node/6593819

Security Bulletins:

https://www.ibm.com/support/pages/node/6596379 (CVE-2021-35550, CVE-2021-35603)
https://www.ibm.com/support/pages/node/6596741 (CVE-2022-22478, CVE-2022-22474)
https://www.ibm.com/support/pages/node/6596399 (CVE-2022-0778)
2022-07-07 19:22:30 +02:00
Yarny0
1ed9ba08f1 tsm-client: fix patching rpath with autoPatchelf
Since commit
7b9fd5d1c9
tsm-client no longer produces working binaries
(discovered with bisection).
Instead, calling the command line client `dsmc`
just produces the error

> error while loading shared libraries: libtsmxerces-depdom.so.28: cannot open shared object file: No such file or directory

Output of `ldd $out/dsmc`

> linux-vdso.so.1 (0x00007ffd89f70000)
> libgsk8ssl_64.so => /nix/store/i21g0x44g336ag8rkx0dgndb9v4w2xhk-tsm-client-8.1.13.3-unwrapped/local/ibm/gsk8_64/lib64/libgsk8ssl_64.so (0x0000791c8eb34000)
> libgsk8iccs_64.so => /nix/store/i21g0x44g336ag8rkx0dgndb9v4w2xhk-tsm-client-8.1.13.3-unwrapped/local/ibm/gsk8_64/lib64/libgsk8iccs_64.so (0x0000791c8e9b7000)
> libgsk8km_64.so => /nix/store/i21g0x44g336ag8rkx0dgndb9v4w2xhk-tsm-client-8.1.13.3-unwrapped/local/ibm/gsk8_64/lib64/libgsk8km_64.so (0x0000791c8e791000)
> libxmlutil-8.1.13.0.so => /nix/store/i21g0x44g336ag8rkx0dgndb9v4w2xhk-tsm-client-8.1.13.3-unwrapped/opt/tivoli/tsm/client/api/bin64/libxmlutil-8.1.13.0.so (0x0000791c8e675000)
> libcrypt.so.1 => /nix/store/qjgj2642srlbr59wwdihnn66sw97ming-glibc-2.33-123/lib/libcrypt.so.1 (0x0000791c8e639000)
> libpthread.so.0 => /nix/store/qjgj2642srlbr59wwdihnn66sw97ming-glibc-2.33-123/lib/libpthread.so.0 (0x0000791c8e619000)
> libdl.so.2 => /nix/store/qjgj2642srlbr59wwdihnn66sw97ming-glibc-2.33-123/lib/libdl.so.2 (0x0000791c8e614000)
> libstdc++.so.6 => /nix/store/ndnqiz3nnifj1blhg9q626xlmkqq1nmh-gcc-10.3.0-lib/lib/libstdc++.so.6 (0x0000791c8e43f000)
> libgpfs.so => /nix/store/i21g0x44g336ag8rkx0dgndb9v4w2xhk-tsm-client-8.1.13.3-unwrapped/opt/tivoli/tsm/client/api/bin64/libgpfs.so (0x0000791c8e22a000)
> libdmapi.so => /nix/store/i21g0x44g336ag8rkx0dgndb9v4w2xhk-tsm-client-8.1.13.3-unwrapped/opt/tivoli/tsm/client/api/bin64/libdmapi.so (0x0000791c8e020000)
> librt.so.1 => /nix/store/qjgj2642srlbr59wwdihnn66sw97ming-glibc-2.33-123/lib/librt.so.1 (0x0000791c8e015000)
> libm.so.6 => /nix/store/qjgj2642srlbr59wwdihnn66sw97ming-glibc-2.33-123/lib/libm.so.6 (0x0000791c8ded4000)
> libgcc_s.so.1 => /nix/store/ndnqiz3nnifj1blhg9q626xlmkqq1nmh-gcc-10.3.0-lib/lib/libgcc_s.so.1 (0x0000791c8deba000)
> libc.so.6 => /nix/store/qjgj2642srlbr59wwdihnn66sw97ming-glibc-2.33-123/lib/libc.so.6 (0x0000791c8dce5000)
> libgsk8cms_64.so => /nix/store/i21g0x44g336ag8rkx0dgndb9v4w2xhk-tsm-client-8.1.13.3-unwrapped/local/ibm/gsk8_64/lib64/libgsk8cms_64.so (0x0000791c8d78d000)
> /nix/store/4s21k8k7p1mfik0b33r2spq5hq7774k1-glibc-2.33-108/lib/ld-linux-x86-64.so.2 => /nix/store/qjgj2642srlbr59wwdihnn66sw97ming-glibc-2.33-123/lib64/ld-linux-x86-64.so.2 (0x0000791c8f074000)
> libtsmxerces-depdom.so.28 => not found
> libtsmxerces-c.so.28 => not found

Output of `ldd $out/lib/libtsmxerces-depdom.so.28`

> linux-vdso.so.1 (0x00007fff69388000)
> libpthread.so.0 => /nix/store/qjgj2642srlbr59wwdihnn66sw97ming-glibc-2.33-123/lib/libpthread.so.0 (0x000078f150454000)
> libtsmxerces-c.so.28 => not found
> libstdc++.so.6 => /nix/store/ndnqiz3nnifj1blhg9q626xlmkqq1nmh-gcc-10.3.0-lib/lib/libstdc++.so.6 (0x000078f15027f000)
> libm.so.6 => /nix/store/qjgj2642srlbr59wwdihnn66sw97ming-glibc-2.33-123/lib/libm.so.6 (0x000078f15013e000)
> libgcc_s.so.1 => /nix/store/ndnqiz3nnifj1blhg9q626xlmkqq1nmh-gcc-10.3.0-lib/lib/libgcc_s.so.1 (0x000078f150124000)
> libc.so.6 => /nix/store/qjgj2642srlbr59wwdihnn66sw97ming-glibc-2.33-123/lib/libc.so.6 (0x000078f14ff4d000)
> /nix/store/qjgj2642srlbr59wwdihnn66sw97ming-glibc-2.33-123/lib64/ld-linux-x86-64.so.2 (0x000078f150601000)

The commit given above rewrote the `autoPatchelfHook`.
The new hook still calls `patchelf` to actually
modify binary files, but the discovery of
shared libraries apparently got changed.

Thorough investigation of all `patchelf` calls in the
old and new autoPatchelfHook showed that all files are
treated equally up the the files

* $out/opt/tivoli/tsm/client/api/bin64/libtsmxerces-depdom.so.28.0
* $out/opt/tivoli/tsm/client/api/bin64/libxmlutil-8.1.13.0.so

where the new autoPatchelf implementation replaced `$out/lib`
with `$out/opt/tivoli/tsm/client/api/bin64` in the rpath.

I failed to see *why* the new algorithm does
that, or if that might be considered a bug.
The `tsm-client` package has some confusing symlink
structure which certainly might confuse `autoPatchelfHook`.

The following ideas to "restore" the old behaviour
of `autoPatchelfHook` failed to produce a working package:
* add "$out" or "${placeholder "out"}" to `runtimeDependencies`
* use `addAutoPatchelfSearchPath` with `$out/lib` or
  another so-file-containing directory

The commit at hand fixes the issue by directly adding `$out/lib`
to the rpath of all shared libraries in that directory.
This has to be done *after* `autoPatchelf` got executed.
To accomplish this, we disable auto-calling `autoPatchelf`
(it would run after `postFixup`) and instead call it
manually in `postFixup`, just before we patch the rpath by hand.
2022-07-07 19:05:28 +02:00
Robert Scott
61c35da607 treewide/servers,tools: add sourceType binaryNativeCode for many packages 2022-06-16 20:21:42 +01:00
Yarny0
ea84f6b9e9 tsm-client: 8.1.13.3 -> 8.1.14.0
This update fixes a denial-of-service vulnerability.

Links to IBM's "Authorized Program Analysis Report"s
(something like release notes) for 8.1.14.x:
https://www.ibm.com/support/pages/node/6559268

README for 8.1.14.x:
https://www.ibm.com/support/pages/node/6561875

Security Bulletin:
https://www.ibm.com/support/pages/node/6562383 (CVE-2021-35517, CVE-2021-36090)
2022-03-12 11:24:07 +01:00
Yarny0
756f45306b tsm-client: 8.1.13.2 -> 8.1.13.3
Link to Security Bulletin:
https://www.ibm.com/support/pages/node/6540692 (CVE-2021-44832)
2022-01-17 12:09:27 +01:00
Yarny0
be904af99c tsm-client: 8.1.13.1 -> 8.1.13.2
Link to Security Bulletin:
https://www.ibm.com/support/pages/node/6537640 (CVE-2021-45105, CVE-2021-45046)
2022-01-17 12:09:27 +01:00
Yarny0
4a42ca06c1 tsm-client: 8.1.13.0 -> 8.1.13.1
Link to Security Bulletin:
https://www.ibm.com/support/pages/node/6527080 (CVE-2021-44228)
2022-01-17 12:09:27 +01:00
Yarny0
66d068bf66 tsm-client: use rpm source instead of deb/Ubuntu
IBM publishes their IBM Spectrum Protect client
for Linux in two flavors:

* "Linux x86_64 client"
* "Linux x86_64 Ubuntu client"

Up to this commit, nixpkgs used the Ubuntu
flavor to build its `tsm-client` derivation.
However, the history of published archive files in

* https://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/client/v8r1/Linux/
* https://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v8r1/Linux/

suggests that updates in the fourth level of
the version numbers (e.g. 8.1.13.0 -> 8.1.13.1)
do not get published as Ubuntu flavor.
It order to be able to always use the latest release,
this commit switches to the non-Ubuntu flavor.
The non-Ubuntu archive contains rpm files,
so this commit switches from `ar` to `rpmextract`.
Instead of unpacking all deb files,
the build recipe now unpacks all _but one_ rpm file:
The file `TIVsm-WEBGUI.x86_64.rpm` apparently
contains a plugin that is not included
in the Ubuntu version (see note below).
Comparing the old and the new derivation's output indicates
that this choice minimizes the difference between the results:

The output of the old (Ubuntu flavor) derivation contains:
* `commons-codec-1.6.jar`
* `share/` with changelog and copyright information
  for the packages `gskssl64` and `gskcrypt64`

The output of the new (non-Ubuntu flavor) derivation contains:
* `lib64`, symlink to `lib`
* `commons-codec-1.14.jar`
* `opt/tivoli/tsm/license/{api,baclient}/sm/`
  with license agreement files in many languages

Besides these differences, the outputs' file names are equal.

Note: I don't know what functionality
`TIVsm-WEBGUI.x86_64.rpm` actually provides.
Unpacking it with the other rpm files makes patchelf complain
about missing X11 libraries, so in order to include it here,
one would likely need to add those to `buildInputs`.
However, as the old (Ubuntu flavor) `tsm-client` package
did not contain this functionality and as I cannot test
or use it in any way, I opted to not include it now.
If we want to include this with a later commit,
we should add another package build option (like `enableGui`)
so that the default `tsm-client` package does not pull in
X11 libraries and its closure size therefore stays small.
2022-01-17 12:09:27 +01:00
Yarny0
f6dca95c5d tsm-client: add test derivation and a module test
The tsm-client needs a tsm-server to do anything useful.
Without a server, automated tests can just
check diagnostic outputs for plausibility.

The commit at hand adds two tests:

1.
The command line interface `dsmc` is called,
then it is verified that the program does

* report the correct client version,
* find its configuration file,
* report a connection error.

2.
To check the GUI (and the tsm-client nixos module), we add a
vm test which uses the module to install `tsm-client-withGui`.
To verify that the GUI's basic functionality is present,
we skip over all connection failure related error
messages and open the "Connection Information"
dialog from the main application window.
This dialog presents the node name and the client version;
both are verified by the test.

Note: Our `tsm-client` build recipe consists of two packages:
The "unwrapped" package and the final package.
This commit puts the unwrapped one into the final
package's `passthru` so that tests can access
the original version string that is needed to check
the client version reported by the application.
2022-01-17 12:09:27 +01:00
Yarny0
8fa6f90ad6 tsm-client: set mainProgram
The TSM command line client `dsmc` should be the
program that is usually invoked from this package.
However, if a user explicitely asks for the
package with GUI support (with `enableGui`,
available in the package `tsm-client-withGui`),
we set the mainProgram to the graphical application `dsmj`
as that's likely what the user is looking for.
2022-01-17 12:09:27 +01:00
Yarny0
7934926b2e tsm-client: makeWrapper buildInputs to nativeBuildInputs
Although I'm not sure if `tsm-client` will ever be
subject to cross-compiling, referencing makeWrapper
from native BuildInputs is The Right Thing.

This is a kind of follow-up of
https://github.com/NixOS/nixpkgs/pull/112276
2022-01-17 12:09:26 +01:00
Yarny0
5ad0ecb901 tsm-client: 8.1.8.0 -> 8.1.13.0
tsm-client now links against openssl;
patchelf complains without it.

Links to IBM's "Authorized Program Analysis Report"s
(something like release notes),
to READMEs, and to Security Bulletins,
for all updates between 8.1.8.0 and 8.1.13.0:

* 8.1.9.x
  * APARs: https://www.ibm.com/support/pages/node/1077159
  * READMEs: https://www.ibm.com/support/pages/node/1108473
  * https://www.ibm.com/support/pages/node/1107261 (CVE-2018-2025)
  * https://www.ibm.com/support/pages/node/1107777 (CVE-2019-4406)

* 8.1.10.x
  * APARs: https://www.ibm.com/support/pages/node/6223098
  * READMEs: https://www.ibm.com/support/pages/node/6223388
  * https://www.ibm.com/support/pages/node/6221448 (CVE-2020-4494, CVE-2020-4406)
  * https://www.ibm.com/support/pages/node/6245356 (CVE-2020-2654)
  * https://www.ibm.com/support/pages/node/6245366 (CVE-2015-4000)

* 8.1.11.x
  * APARs: https://www.ibm.com/support/pages/node/6367203
  * READMEs: https://www.ibm.com/support/pages/node/6367205
  * https://www.ibm.com/support/pages/node/6371646
  * https://www.ibm.com/support/pages/node/6371650
  * https://www.ibm.com/support/pages/node/6371652

* 8.1.12.x
  * APARs: https://www.ibm.com/support/pages/node/6429561
  * READMEs: https://www.ibm.com/support/pages/node/6443671
  * https://www.ibm.com/support/pages/node/6445503 (CVE-2021-20532)
  * https://www.ibm.com/support/pages/node/6445497 (CVE-2021-29672, CVE-2021-20546)
  * https://www.ibm.com/support/pages/node/6445489 (CVE-2020-1971, CVE-2021-23840, CVE-2021-23841)
  * https://www.ibm.com/support/pages/node/6445483 (CVE-2020-27221, CVE-2020-14782)

* 8.1.13.x
  * APARs: https://www.ibm.com/support/pages/node/6524936
  * READMEs: https://www.ibm.com/support/pages/node/6524938
  * https://www.ibm.com/support/pages/node/6524706 (CVE-2021-39048)
  * https://www.ibm.com/support/pages/node/6524712 (CVE-2021-3712, CVE-2021-3711)
2022-01-17 12:09:26 +01:00
Yarny0
517ae2a288 tsm-client: update URL structure
IBM has changed the URL structures of their support web pages.
The commit at hand updates most URLs and
in particular the package update instructions
so they follow the new structure.
It also calculates the source download URL from the
version number, so package updates no longer have to
update the URL in addition to the version string.
2022-01-17 12:09:26 +01:00
Yarny0
6d134acc4a tsm-client: use explicit package option for Java GUI
The tsm-client package comes in two flavours:
command line only (`tsm-client`) and with a
Java-backed GUI (`tsm-client-withGui`).
To control which package is built,
the build recipe simply used to check if the
`jdk8` package was provided as package input.
This commit changes this mechanism:
The build recipe now accepts the explicit option `enableGui`,
which is set to `false` by default.

As the commit at hand touches the build recipe arguments,
it also changes argument sorting following
https://nixos.org/manual/nixpkgs/stable/#sec-syntax
2022-01-17 12:09:26 +01:00
Yarny0
ce6eea6002 tsm-client: add gnugrep to PATH
While testing the new version, I observed that
`dsmc` prints an error "sh: grep: command not found"
when executed with empty PATH.
Apparently, `dsmc` needs `grep` in its PATH.
2022-01-17 12:09:26 +01:00
Yarny0
6e157a481a tsm-client: fix lvm2 support
lvm2 support was broken when lvm2 got
converted to a multiple-output derivation:

https://github.com/NixOS/nixpkgs/pull/93024
d3a991d410

The `runtimeDependencies` attribute doesn't specifically
look for a `lib` output, so it uses the main `out` output
which no longer contains the library object files.

Since TSM loads the `libdevmapper.so` library
dynamically (likely with `dlfcn.h` functions),
the breakage couldn't be detected at build time.

The commit at hand simply uses
`getLib` to pick the correct output.
2022-01-17 12:09:23 +01:00
Sandro Jäckel
14af34c2f4
treewide: remove lib.{lists,string}.optional* 2021-07-29 14:15:12 +02:00
Michael Reilly
84cf00f980
treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
Yarny0
fe0bfb3fec tsm-client: init at 8.1.8.0
IBM Spectrum Protect (former name: Tivoli Storage Manager)
provides a single point of control for backup and recovery.
This package contains the client software, that is,
a command line client and linkable libraries.

This commit adds two packages to nixpkgs:
The TSM client software contains a Java GUI
that, naturally, requires Java to be installed.
To keep the closure size low, we provide the packages
`tsm-client` and `tsm-client-withGUI`.
The former comes without the Java GUI.

While the product has been renamed, its old name is still
alive in filenames and as package name used by other distros.
2019-07-15 09:41:36 +02:00