Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] discord-bin libstdc++.so?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gamers & Players
View previous topic :: View next topic  
Author Message
Marcih
Apprentice
Apprentice


Joined: 19 Feb 2018
Posts: 207

PostPosted: Sun Aug 30, 2020 9:03 am    Post subject: [SOLVED] discord-bin libstdc++.so? Reply with quote

The net-im/discord-bin ebuild has LLVM's C++ standard lib implementation in its dependencies (sys-libs/libcxx). Honestly I'm not too thrilled on having to compile LLVM along with another C++ stdlib implementation since I already have to use GCC for essentially everything. Since the Discord package is a pre-compiled binary, is there any possibility of those two libraries being interchangeable? Is there a way to try?
_________________
Bones McCracker wrote:
It wouldn't be so bad, if it didn't suck.

NeddySeagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.


Last edited by Marcih on Sun Sep 13, 2020 7:07 am; edited 1 time in total
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46272
Location: 56N 3W

PostPosted: Sun Aug 30, 2020 9:45 am    Post subject: Reply with quote

Marcih,

net-im/discord-bin is an evil closed source binary blob.
At run time, the dynamic linker will go looking for the libraries that it needs.

You can get a list of them with lddtree.

Its possible to create symlinks to redirect the thins you don't have to the things you do but I would not expect it to work.

Even if you rename libraries like that, just for discord, I would expect some symbols names to be missing.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15967

PostPosted: Sun Aug 30, 2020 4:47 pm    Post subject: Reply with quote

Assuming that they really only use standard symbols, and not any LLVM extensions, fixing this should just be a matter of obtaining a Discord compiled with gcc instead of clang. For open source packages, you would do that yourself by downloading the source, building with gcc, and posting a note about whether it works. Since the Discord developers failed to release their source, you will need to get them to do this for you. Good luck with that. You will almost certainly need it.

I tried to look into this for you to see if they might have alternatives, but their website is a mess, and some of their headers make me question their design decisions. Any time you see a CSP that includes script-src https://www.gstatic.com/recaptcha/, you should prepare for pain and suffering. Perhaps more concerning is the use of connect-src ws://127.0.0.1:* http://127.0.0.1:*. As I understand the CSP language, no site has legitimate business allowing connections to loopback, because no site should be accessing loopback from a browser.
Back to top
View user's profile Send private message
netfab
Veteran
Veteran


Joined: 03 Mar 2005
Posts: 1725
Location: 127.0.0.1

PostPosted: Sat Sep 12, 2020 6:18 pm    Post subject: Reply with quote

sys-libs/libcxx dependency removed from net-im/discord-bin-0.12 ebuild : link
Back to top
View user's profile Send private message
Marcih
Apprentice
Apprentice


Joined: 19 Feb 2018
Posts: 207

PostPosted: Sun Sep 13, 2020 5:52 am    Post subject: Reply with quote

Hu wrote:
[a lot of interesting text in the second half that I cannot comprehend the majority of]
I really appreciate the reply and the info Hu, I just did not have anything to say or add! :lol:
EDIT: Oh and almost forgot Neddy there. I was aware that the Discord package is a closed-source binary, I was just wondering whether the C++ libs from GCC and LLVM were compatible/interchangeable. I guess not :D
netfab wrote:
sys-libs/libcxx dependency removed from net-im/discord-bin-0.12 ebuild
Thanks for the heads-up, didn't even occur to me to check when I saw a new version of the client was released.
_________________
Bones McCracker wrote:
It wouldn't be so bad, if it didn't suck.

NeddySeagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15967

PostPosted: Sun Sep 13, 2020 5:10 pm    Post subject: Reply with quote

Marcih wrote:
Hu wrote:
[a lot of interesting text in the second half that I cannot comprehend the majority of]
I really appreciate the reply and the info Hu, I just did not have anything to say or add! :lol:
Breaking out and elaborating on my prior response:
Hu wrote:
I tried to look into this for you to see if they might have alternatives, but their website is a mess
I am one of those people who thinks that a site should be at least slightly usable by downloading the main document via curl and viewing it in $EDITOR. Some functionality may be missing, but I ought to at least know the key points that the author would convey: who operates the site, what does it offer, why should I want to use it, etc. Their site failed this test completely. It's not even close to readable in $EDITOR. (For this purpose, I only judge the main document of the site. If the site has a usable front page, and a dynamic webapp behind it, I don't judge negatively because the front page told me about the site, even though the dynamic webapp is not usable via curl+$EDITOR.)
Marcih wrote:
Hu wrote:
Any time you see a CSP that includes script-src https://www.gstatic.com/recaptcha/, you should prepare for pain and suffering.
CSP, short for Content Security Policy, is a belated attempt, added years too late, to improve website security by letting the server declare to the browser what types of content are supposed to be in the page, so that if an attacker injects unauthorized content of an unexpected type, the browser can guess that this injected content is invalid and can refuse to process it. Seeing CSP from a server is a good thing, because it means their site maintainers are at least marginally competent, and cared enough to write a policy that is not required for proper operation. Seeing a CSP that whitelists a Google reCAPTCHA is a very bad thing, because it means the site intends to use a Google reCAPTCHA. I have never had a good experience with a Google reCAPTCHA.
Marcih wrote:
Hu wrote:
Perhaps more concerning is the use of connect-src ws://127.0.0.1:* http://127.0.0.1:*. As I understand the CSP language, no site has legitimate business allowing connections to loopback, because no site should be accessing loopback from a browser.
CSP defines what types of resources the in-page content will include or access. In my opinion, there are no situations in which a web page should ever access the loopback address on the browser's system, because that address is, by definition, served by another process on the system running the browser. If that process is not intended to interact with the web page, then the page should not be interacting with it. If the process is intended to interact with the web page, then we are back to my questioning their design decisions, because I cannot see a case where that would be both secure and desirable. For this purpose, it is "secure" if the process cannot be abused to do inappropriate things when the user visits a page written by someone who knows the full capabilities of the process and who spent hours or days crafting a site specifically intended to abuse the process. As a trivial example of an insecure process, consider an integration that automatically opens the Steam Launcher when the user clicks a link on the Steam website, but implemented such that anyone can copy that code from the Steam website, paste it into another site, and cause the Steam Launcher to just appear, unsolicited and unexpected, as a side effect of loading the malicious site. Unapproved launches like this can, at a minimum, confuse the user and waste system resources. Depending on the details, the attacker may be able to force the launch of so many instances that the system becomes unusable (denial of service). In other cases, the attacker might use this as a component of a social engineering scheme to trick the user, because if the user thinks that the Steam Launcher can only be spawned by the legitimate Steam website, then a malicious website can improve its credibility by spawning a Steam Launcher.

On the "desirable" front, an integration like this should only do any significant amount of work if an informed user would want that work done. This probably means asking the user "Are you sure you want this integration to do X?". I would not be at all surprised to find that some integrations omit that are-you-sure because "it bothers the user too much" or some similar explanation. Similarly, if you have an are-you-sure, then you need to carefully balance making X adequately descriptive, while also not letting a malicious site provide a customized X that misleads the user. Browsers have revised their Javascript alert dialogs over the years because early versions allowed too much control to the untrusted script, allowing the script to trick the user into thinking the question came from trusted browser code, rather than untrusted Javascript. A custom integration with its own are-you-sure prompts faces the same problem, and must implement its own dialog, because it cannot trust that the in-page script did the right thing.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gamers & Players All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum