Hi František, On Tue, Jul 16, 2024 at 02:08:23PM +0200, František Šumšal wrote: > Hey, > > Due to a couple of CVEs I'll need to rebase botan2 in EPEL 8 to a slightly less ancient version (which also brings me to [0], about which I completely forgot after I took over the botan2 package, apologies for that). I tried to cherry-pick just the necessary patches, but there's a lot of conflicts/missing or moved files/etc. due to the version difference so, in my opinion, doing a rebase is a way safer option here (and it also makes future maintenance slightly less painful, since EPEL 8 will be with us for another almost five years). > > I can't rebase to the latest 2.x version, since v2.19.2 drops support for the OpenSSL provider. I don't know if anyone uses it in EPEL 8, but I don't feel comfortable dropping it so far in EPEL 8's maintenance cycle. But from the maintenance point of view this is fine, since with v2.19.1 all necessary CVE patches (and other bugfixes I cherry-picked along the way) apply cleanly. > > Since the rebase also bumps libbotan-2.so from libbotan-2.so.12.12.1 to libbotan-2.so.19.19.1, packages that depend on it will need to be rebuilt, namely: > > $ dnf repoquery --enablerepo "epel*" --whatrequires "libbotan-2.so*" > botan2-devel-0:2.12.1-4.el8.x86_64 > corectrl-0:1.3.0-2.el8.x86_64 > keepassxc-0:2.7.9-1.el8.x86_64 > qca-qt5-botan-0:2.3.4-2.el8.x86_64 > > As I don't have provenpackage privileges, I created a side tag epel8-build-side-92634 with the rebased botan2 build (botan2-2.19.1-2.el8 ATTOW) and kindly ask the maintainers of the affected packages (CC'ed) to add their builds into it using: > > $ fedpkg build --target=epel8-build-side-92634 > > Since this is my first multi-package build, please let me know if I messed anything up. > I can help with rebuilding dependent packages -- however, as this is an incompatible upgrade you need to follow this process: https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/ Step one is this email; step two says you can build and submit to testing now if critical (but don't make it automatically request to stable based on time or karma) But given step 3 (discussion for a week) and (4) you need to file an issue and get approval at the EPEL meeting, you probably want to hold off on continuing for now. The meetings are on Wednesdays so we can take this up Wednesday next week if you file the EPEL issue next Tuesday (after allowing for a week of discussion). Best, -- _o) Michel Lind _( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
Attachment:
signature.asc
Description: PGP signature
-- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
