Build statically-linked sqlcipher for Unix

dockerbuild/Dockerfile

@@ -12,9 +12,7 @@ RUN apt-get -qq update && apt-get -qq dist-upgrade && \
   # libsecret-1-dev and libgnome-keyring-dev are required even for prebuild keytar
   apt-get -qq install --no-install-recommends qtbase5-dev bsdtar build-essential autoconf libssl-dev gcc-multilib g++-multilib lzip rpm python libcurl4 git git-lfs ssh unzip \
   libsecret-1-dev libgnome-keyring-dev \
-  libopenjp2-tools \
-  # Used by Seshat
-  libsqlcipher-dev && \
+  libopenjp2-tools && \
   # git-lfs
   git lfs install && \
   apt-get purge -y --auto-remove && rm -rf /var/lib/apt/lists/*

element.io/nightly/control.template

@@ -3,7 +3,7 @@ License: Apache-2.0
 Vendor: support@element.io
 Architecture: amd64
 Maintainer: support@element.io
-Depends: libgtk-3-0, libnotify4, libnss3, libxss1, libxtst6, xdg-utils, libatspi2.0-0, libuuid1, libsecret-1-0, libsqlcipher0
+Depends: libgtk-3-0, libnotify4, libnss3, libxss1, libxtst6, xdg-utils, libatspi2.0-0, libuuid1, libsecret-1-0
 Recommends: libappindicator3-1
 Section: net
 Priority: extra

element.io/release/control.template

@@ -3,7 +3,7 @@ License: Apache-2.0
 Vendor: support@element.io
 Architecture: amd64
 Maintainer: support@element.io
-Depends: libgtk-3-0, libnotify4, libnss3, libxss1, libxtst6, xdg-utils, libatspi2.0-0, libuuid1, libsecret-1-0, libsqlcipher0
+Depends: libgtk-3-0, libnotify4, libnss3, libxss1, libxtst6, xdg-utils, libatspi2.0-0, libuuid1, libsecret-1-0
 Recommends: libappindicator3-1
 Replaces: riot-desktop (<< 1.7.0), riot-web (<< 1.7.0)
 Breaks: riot-desktop (<< 1.7.0), riot-web (<< 1.7.0)

hak/matrix-seshat/build.ts

@@ -26,7 +26,7 @@ export default async function(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promi
     if (hakEnv.isWin()) {
         await buildOpenSslWin(hakEnv, moduleInfo);
         await buildSqlCipherWin(hakEnv, moduleInfo);
-    } else if (hakEnv.isMac()) {
+    } else {
         await buildSqlCipherUnix(hakEnv, moduleInfo);
     }
     await buildMatrixSeshat(hakEnv, moduleInfo);
@@ -179,12 +179,17 @@ async function buildSqlCipherUnix(hakEnv, moduleInfo) {
         '--prefix=' + moduleInfo.depPrefix + '',
         '--enable-tempstore=yes',
         '--enable-shared=no',
+        '--enable-tcl=no',
     ];
 
     if (hakEnv.isMac()) {
         args.push('--with-crypto-lib=commoncrypto');
     }
 
+    if (hakEnv.isLinux()) {
+        args.push('--with-pic=yes');
+    }
+
     if (!hakEnv.isHost()) {
         // In the nonsense world of `configure`, it is assumed you are building
         // a compiler like `gcc`, so the `host` option actually means the target
@@ -265,12 +270,29 @@ async function buildMatrixSeshat(hakEnv, moduleInfo) {
     // it for now: we should confirm how much of this it still actually needs.
     const env = hakEnv.makeGypEnv();
 
-    if (!hakEnv.isLinux()) {
-        Object.assign(env, {
-            SQLCIPHER_STATIC: 1,
-            SQLCIPHER_LIB_DIR: path.join(moduleInfo.depPrefix, 'lib'),
-            SQLCIPHER_INCLUDE_DIR: path.join(moduleInfo.depPrefix, 'include'),
-        });
+    Object.assign(env, {
+        SQLCIPHER_STATIC: 1,
+        SQLCIPHER_LIB_DIR: path.join(moduleInfo.depPrefix, 'lib'),
+        SQLCIPHER_INCLUDE_DIR: path.join(moduleInfo.depPrefix, 'include'),
+    });
+
+    if (hakEnv.isLinux()) {
+        // Ensure Element uses the statically-linked seshat build, and prevent other applications
+        // from attempting to use this one. Detailed explanation:
+        //
+        // RUSTFLAGS
+        //     An environment variable containing a list of arguments to pass to rustc.
+        // -Clink-arg=VALUE
+        //     A rustc argument to pass a single argument to the linker.
+        // -Wl,
+        //     gcc syntax to pass an argument (from gcc) to the linker (ld).
+        // -Bsymbolic:
+        //     Prefer local/statically linked symbols over those in the environment.
+        //     Prevent overriding native libraries by LD_PRELOAD etc.
+        // --exclude-libs ALL
+        //     Prevent symbols from being exported by any archive libraries.
+        //     Reduces output filesize and prevents being dynamically linked against.
+        env.RUSTFLAGS = '-Clink-arg=-Wl,-Bsymbolic -Clink-arg=-Wl,--exclude-libs,ALL';
     }
 
     if (hakEnv.isWin()) {

hak/matrix-seshat/check.ts

@@ -22,21 +22,19 @@ import { DependencyInfo } from '../../scripts/hak/dep';
 
 export default async function(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<void> {
     // of course tcl doesn't have a --version
-    if (!hakEnv.isLinux()) {
-        await new Promise<void>((resolve, reject) => {
-            const proc = childProcess.spawn('tclsh', [], {
-                stdio: ['pipe', 'ignore', 'ignore'],
-            });
-            proc.on('exit', (code) => {
-                if (code !== 0) {
-                    reject("Can't find tclsh - have you installed TCL?");
-                } else {
-                    resolve();
-                }
-            });
-            proc.stdin.end();
+    await new Promise<void>((resolve, reject) => {
+        const proc = childProcess.spawn('tclsh', [], {
+            stdio: ['pipe', 'ignore', 'ignore'],
         });
-    }
+        proc.on('exit', (code) => {
+            if (code !== 0) {
+                reject("Can't find tclsh - have you installed TCL?");
+            } else {
+                resolve();
+            }
+        });
+        proc.stdin.end();
+    });
 
     const tools = [
         ['rustc', '--version'],

hak/matrix-seshat/fetchDeps.ts

@@ -25,9 +25,7 @@ import HakEnv from '../../scripts/hak/hakEnv';
 import { DependencyInfo } from '../../scripts/hak/dep';
 
 export default async function(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<void> {
-    if (!hakEnv.isLinux()) {
-        await getSqlCipher(hakEnv, moduleInfo);
-    }
+    await getSqlCipher(hakEnv, moduleInfo);
 
     if (hakEnv.isWin()) {
         await getOpenSsl(hakEnv, moduleInfo);