libxcb-xinerama0 Library required by bitcoin-qt #30061

issue nimrare openend this issue on May 8, 2024
  1. nimrare commented at 11:03 am on May 8, 2024: none

    Is there an existing issue for this?

    • I have searched the existing issues

    Current behaviour

    I installed bitcoin core 26.1 on a Raspberry 5 (ARM Architecture) running Ubuntu 23.1. Upon running bitcoin-qt, I got the error that the library libxcb-xinerama0 is required but not installed.

    It’s easily fixed by installing it from the repositories (apt install libxcb-xinerama0), however, for a security conscious person this is a bit unsatisfying. Is there a reason this library is not packaged with the bitcoin core binaries?

    After all you go through the hassle of verifying and cross checking all signatures of the binaries and then you have to install a third party untrusted library to run everything.

    Expected behaviour

    Bitcoin core comes packaged with all required libraries.

    Steps to reproduce

    See current behavior.

    Relevant log output

    No response

    How did you obtain Bitcoin Core

    Pre-built binaries

    What version of Bitcoin Core are you using?

    26.1

    Operating system and version

    Ubuntu 23.1

    Machine specifications

    Raspberry 5 ARM

  2. hebasto commented at 11:14 am on May 8, 2024: member

    It’s easily fixed by installing it from the repositories (apt install libxcb-xinerama0), however, for a security conscious person this is a bit unsatisfying.

    It is expected: https://github.com/bitcoin/bitcoin/blob/43a66c55ec8770cf7c21112aac9b997f3f2fb704/contrib/devtools/symbol-check.py#L125

  3. sipa commented at 1:11 pm on May 8, 2024: member
    @laanwj Does #29923 address this?
  4. fanquake commented at 1:14 pm on May 8, 2024: member

    @laanwj Does #29923 address this?

    No. That just removes our need to compile all the libs. Everything in Qt is still loaded at runtime.

  5. sipa commented at 2:35 pm on May 8, 2024: member
    @nimrare The short answer here is that there is no way around trusting your operating system’s libraries. Even if all userspace things would be statically linked, you’re still relying on your kernel for example. And it turns out that for interacting with graphics subsystems of your operating system, dynamic libraries are practically the only solution, as statically-linked ones would pretty much only work on the exact system they were compiled for.
  6. laanwj commented at 7:07 am on May 9, 2024: member

    @laanwj Does #29923 address this?

    Potentially it could make the dependency on xcb-xinerama optional. There’s only a few functions used from that library, for a specific purpose (multiple monitor support), if the library can’t be loaded, it can be assumed that this functionality isn’t needed. This does mean patching Qt though. Basically to set hasXinerama() to be false in that case.

    )i’ve handled the xcb/wayland switch in that way–if X libraries can’t be found, don’t exit, but fail loading the XCB platform and go on to the next one

    Edit: But given that you’ve already had to install X libraries on your system to be able to use X in the first place, the additional security risk of installing another component is negligible, i don’t think this is really a pressing issue.

  7. laanwj added the label Linux/Unix on May 9, 2024
  8. nimrare commented at 3:55 pm on May 10, 2024: none
    @sipa @laanwj Okay, thank you for your response on this. I see your points and also agree that btc core can’t and shouldn’t deal with os related graphics peculiarities. Just from a UX/security perspective, I was a bit surprised about it when first encountered. Maybe it could be made optional at some point or a more verbose error message can be printed. In any case, no big issue. I’ll close this!
  9. nimrare closed this on May 10, 2024

  10. libreisaac commented at 4:42 pm on May 10, 2024: none

    Okay, thank you for your response on this. I see your points and also agree that btc core can’t and shouldn’t deal with os related graphics peculiarities. Just from a UX/security perspective, I was a bit surprised about it when first encountered. Maybe it could be made optional at some point or a more verbose error message can be printed. In any case, no big issue. I’ll close this!

    If you’re concerned about trusting binaries installed by your OS’ package manager, consider Gentoo. But fundamentally, unless you bootstrap your own C compiler from assembly, you’re going to have to trust at least a compiler binary and the env to execute it as your root.


github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-09-14 04:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me