WIP: Migrate for zlib 1.3?

[h-vetinari]

There was a new zlib build release last August (a few weeks ago in conda-forge; it seems the bot didn't open a PR yet).

We've been on zlib 1.2 since the beginning of the global pinning

conda-forge-pinning-feedstock/recipe/conda_build_config.yaml

Lines 195 to 196 in 754eda8

	zlib:
	- 1.2

so this would probable be a relatively big migration. It's possible that migrating isn't even necessary though. While there's been no update in the abi lab for a long time, the newest libzlib still contains both:

lib/libz.so.1
lib/libz.so.1.3

indicating that major-level pinning the SOVER should be enough.

The changelog for zlib 1.3 also doesn't look particularly scary or ABI-relevant, though I guess the minor number was increased due to things like madler/zlib#633, which caused a pretty substantial overhaul, see e.g. madler/zlib@e9d5486

We should check if the ABI changed; if not, we could relax the pins.

CC @conda-forge/zlib @conda-forge/core

[conda-forge-webservices]

Hi! This is the friendly automated conda-forge-linting service.

I just wanted to let you know that I linted all conda-recipes in your PR (recipe) and found it was in an excellent condition.

[xhochy]

This looks like "cosmetic" changes. Can someone try whether e.g. libarchive or python works with the new zlib without rebuilding the current binaries?

[pitrou]

This looks like "cosmetic" changes. Can someone try whether e.g. libarchive or python works with the new zlib without rebuilding the current binaries?

I agree that nothing significant seems to have changed in the zlib's public headers. That's probably why it's still providing a libz.so.1 and not libz.so.2.

[hmaarrfk]

I tried to build a few packages for zlib 1.3 but honestly, i think i ran into some rerendering issues and gave up.

[omron93]

@hmaarrfk @h-vetinari Is there any progress about this and getting the zlib updated to 1.3 for fixing CVE-2023-45853?
How can I help with that? (I don't have previous experience with conda-forge building)

[h-vetinari]

How can I help with that?

You could install zlib=1.2 and zlib=1.3 into two different environments, and then try following these instructions from abi-dumper (which is what used to powers abi-laboratory, though unfortunately it seems the pages aren't getting updated anymore, including zlib) on /path/to/env1_or_env2/lib/libz.so between the two environments, and report back the results, or where you ran into problems.

[omron93]

@h-vetinari Trying that now with builds from conda-forge, do you know if it's possible get builds with debug info included or striped in different package?

[omron93]

This is result of abi-compliance-checker run for zlib1g versions build in ubuntu 23.10 and 24.04 (https://packages.ubuntu.com/mantic/zlib1g) - so versions 1.2.13 vs 1.3
Although abi-dumper was complaining about -O3 instead of -Og and bunch of 'incomplete info for symbol'

[compat_reports.zip](https://github.com/conda-forge/conda-forge-pinning-feedstock/files/15418188/compat_reports.zip)
root@b88352d7c82d:/# abi-dumper /usr/lib/x86_64-linux-gnu/libz.so.1.2.13 --search-debuginfo=/usr/lib/debug/.build-id/62/
WARNING: module version is not specified (-lver NUM)
Found link to 2a20ffd045816c9b5b50dd8967803026b40cc8.debug (gnu_debuglink)
Reading debug-info file 2a20ffd045816c9b5b50dd8967803026b40cc8.debug linked from gnu_debuglink
Reading debug-info
WARNING: incompatible build option detected: -O3 (required -Og for better analysis)
ERROR: incomplete info for symbol 5308
ERROR: incomplete info for symbol 5393
ERROR: incomplete info for symbol 5501
ERROR: incomplete info for symbol 5675
ERROR: incomplete info for symbol 5872
ERROR: incomplete info for symbol 6443
ERROR: incomplete info for symbol 9308
ERROR: incomplete info for symbol 9590
ERROR: incomplete info for symbol 9692
ERROR: incomplete info for symbol 9880
ERROR: incomplete info for symbol 9942
ERROR: incomplete info for symbol 10085
ERROR: incomplete info for symbol 10597
ERROR: incomplete info for symbol 10939
ERROR: incomplete info for symbol 11314
ERROR: incomplete info for symbol 11511
ERROR: incomplete info for symbol 11657
ERROR: incomplete info for symbol 11887
ERROR: incomplete info for symbol 12282
ERROR: incomplete info for symbol 12474
ERROR: incomplete info for symbol 12723
ERROR: incomplete info for symbol 15044
ERROR: incomplete info for symbol 15497
ERROR: incomplete info for symbol 15655
ERROR: incomplete info for symbol 15972
ERROR: incomplete info for symbol 16100
ERROR: incomplete info for symbol 16876
ERROR: incomplete info for symbol 17004
ERROR: incomplete info for symbol 18203
ERROR: incomplete info for symbol 18244
ERROR: incomplete info for symbol 18449
ERROR: incomplete info for symbol 18681
ERROR: incomplete info for symbol 18888
ERROR: incomplete info for symbol 19066
ERROR: incomplete info for symbol 19173
ERROR: incomplete info for symbol 19420
ERROR: incomplete info for symbol 21089
ERROR: incomplete info for symbol 21310
ERROR: incomplete info for symbol 21707
ERROR: incomplete info for symbol 22456
ERROR: incomplete info for symbol 22677
ERROR: incomplete info for symbol 23172
ERROR: incomplete info for symbol 23373
ERROR: incomplete info for symbol 23861
ERROR: incomplete info for symbol 24025
ERROR: incomplete info for symbol 24240
ERROR: incomplete info for symbol 24435
ERROR: incomplete info for symbol 24700
ERROR: incomplete info for symbol 24735
ERROR: incomplete info for symbol 24979
ERROR: incomplete info for symbol 25107
ERROR: incomplete info for symbol 25154
ERROR: incomplete info for symbol 25453
ERROR: incomplete info for symbol 27755
ERROR: incomplete info for symbol 27843
ERROR: incomplete info for symbol 27931
ERROR: incomplete info for symbol 28223
ERROR: incomplete info for symbol 28284
ERROR: incomplete info for symbol 28473
ERROR: incomplete info for symbol 28694
ERROR: incomplete info for symbol 28801
ERROR: incomplete info for symbol 28849
ERROR: incomplete info for symbol 28916
ERROR: incomplete info for symbol 29007
ERROR: incomplete info for symbol 29074
ERROR: incomplete info for symbol 29122
ERROR: incomplete info for symbol 29177
ERROR: incomplete info for symbol 29355
ERROR: incomplete info for symbol 29511
ERROR: incomplete info for symbol 29699
ERROR: incomplete info for symbol 29803
ERROR: incomplete info for symbol 29865
ERROR: incomplete info for symbol 30035
ERROR: incomplete info for symbol 30374
ERROR: incomplete info for symbol 30449
ERROR: incomplete info for symbol 30715
ERROR: incomplete info for symbol 32630
ERROR: incomplete info for symbol 32788
ERROR: incomplete info for symbol 32976
ERROR: incomplete info for symbol 33173
ERROR: incomplete info for symbol 33561
ERROR: incomplete info for symbol 34199
ERROR: incomplete info for symbol 34314
ERROR: incomplete info for symbol 34646
ERROR: incomplete info for symbol 35039
Creating ABI dump

[omron93]

For some reason the attachment was not added to previous message compat_reports.zip :-)

[h-vetinari]

Thanks for running this @omron93! 🙏

Taking a screenshot from the produced report, it indeed looks like the ABI is untouched: