On 7/19/24 05:42, Michel Lind wrote:
Hi František,
On Wed, Jul 17, 2024 at 10:36:01AM +0200, František Šumšal wrote:
Due to a couple of CVEs I'll need to rebase botan2 in EPEL 8 to a slightly less ancient version (which also brings me to [0], about which I completely forgot after I took over the botan2 package, apologies for that). I tried to cherry-pick just the necessary patches, but there's a lot of conflicts/missing or moved files/etc. due to the version difference so, in my opinion, doing a rebase is a way safer option here (and it also makes future maintenance slightly less painful, since EPEL 8 will be with us for another almost five years).
I can't rebase to the latest 2.x version, since v2.19.2 drops support for the OpenSSL provider. I don't know if anyone uses it in EPEL 8, but I don't feel comfortable dropping it so far in EPEL 8's maintenance cycle. But from the maintenance point of view this is fine, since with v2.19.1 all necessary CVE patches (and other bugfixes I cherry-picked along the way) apply cleanly.
Since the rebase also bumps libbotan-2.so from libbotan-2.so.12.12.1 to libbotan-2.so.19.19.1, packages that depend on it will need to be rebuilt, namely:
$ dnf repoquery --enablerepo "epel*" --whatrequires "libbotan-2.so*"
botan2-devel-0:2.12.1-4.el8.x86_64
corectrl-0:1.3.0-2.el8.x86_64
keepassxc-0:2.7.9-1.el8.x86_64
qca-qt5-botan-0:2.3.4-2.el8.x86_64
As I don't have provenpackage privileges, I created a side tag epel8-build-side-92634 with the rebased botan2 build (botan2-2.19.1-2.el8 ATTOW) and kindly ask the maintainers of the affected packages (CC'ed) to add their builds into it using:
$ fedpkg build --target=epel8-build-side-92634
Since this is my first multi-package build, please let me know if I messed anything up.
I can help with rebuilding dependent packages -- however, as this is an
incompatible upgrade you need to follow this process:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/
*sigh*, I knew I forgot something important. Apologies for that and many thanks for pointing it out!
We've clarified the policy at the last EPEL meeting:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/#process_for_incompatible_upgrades
you can now file the issue requesting an incompatible upgrade
immediately, and we'll schedule it for a vote after a week of discussion
- that way you don't need to remember to file it after a week has
passed.
So if you file it anytime between now and Wednesday, we'll take this up
at next Wednesday's meeting.
Excellent, thank you! I just filed https://pagure.io/epel/issue/287.
Cheers,
Frantisek
--
_______________________________________________
epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
