libxcb-xinerama0 Library required by bitcoin-qt
nimrare opened this issue · 7 comments
Is there an existing issue for this?
- I have searched the existing issues
Current behaviour
I installed bitcoin core 26.1 on a Raspberry 5 (ARM Architecture) running Ubuntu 23.1. Upon running bitcoin-qt, I got the error that the library libxcb-xinerama0 is required but not installed.
It's easily fixed by installing it from the repositories (apt install libxcb-xinerama0), however, for a security conscious person this is a bit unsatisfying. Is there a reason this library is not packaged with the bitcoin core binaries?
After all you go through the hassle of verifying and cross checking all signatures of the binaries and then you have to install a third party untrusted library to run everything.
Expected behaviour
Bitcoin core comes packaged with all required libraries.
Steps to reproduce
See current behavior.
Relevant log output
No response
How did you obtain Bitcoin Core
Pre-built binaries
What version of Bitcoin Core are you using?
26.1
Operating system and version
Ubuntu 23.1
Machine specifications
Raspberry 5 ARM
It's easily fixed by installing it from the repositories (apt install libxcb-xinerama0), however, for a security conscious person this is a bit unsatisfying.
It is expected:
bitcoin/contrib/devtools/symbol-check.py
Line 125 in 43a66c5
@nimrare The short answer here is that there is no way around trusting your operating system's libraries. Even if all userspace things would be statically linked, you're still relying on your kernel for example. And it turns out that for interacting with graphics subsystems of your operating system, dynamic libraries are practically the only solution, as statically-linked ones would pretty much only work on the exact system they were compiled for.
Potentially it could make the dependency on xcb-xinerama optional. There's only a few functions used from that library, for a specific purpose (multiple monitor support), if the library can't be loaded, it can be assumed that this functionality isn't needed. This does mean patching Qt though. Basically to set hasXinerama() to be false in that case.
)i've handled the xcb/wayland switch in that way--if X libraries can't be found, don't exit, but fail loading the XCB platform and go on to the next one
Edit: But given that you've already had to install X libraries on your system to be able to use X in the first place, the additional security risk of installing another component is negligible, i don't think this is really a pressing issue.
@sipa @laanwj Okay, thank you for your response on this. I see your points and also agree that btc core can't and shouldn't deal with os related graphics peculiarities. Just from a UX/security perspective, I was a bit surprised about it when first encountered. Maybe it could be made optional at some point or a more verbose error message can be printed. In any case, no big issue. I'll close this!
Okay, thank you for your response on this. I see your points and also agree that btc core can't and shouldn't deal with os related graphics peculiarities. Just from a UX/security perspective, I was a bit surprised about it when first encountered. Maybe it could be made optional at some point or a more verbose error message can be printed. In any case, no big issue. I'll close this!
If you're concerned about trusting binaries installed by your OS' package manager, consider Gentoo. But fundamentally, unless you bootstrap your own C compiler from assembly, you're going to have to trust at least a compiler binary and the env to execute it as your root.