[EPEL-devel] Re: libbotan-2 soname bump in EPEL 8

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 7/19/24 05:42, Michel Lind wrote:
Hi František,

On Wed, Jul 17, 2024 at 10:36:01AM +0200, František Šumšal wrote:

Due to a couple of CVEs I'll need to rebase botan2 in EPEL 8 to a slightly less ancient version (which also brings me to [0], about which I completely forgot after I took over the botan2 package, apologies for that). I tried to cherry-pick just the necessary patches, but there's a lot of conflicts/missing or moved files/etc. due to the version difference so, in my opinion, doing a rebase is a way safer option here (and it also makes future maintenance slightly less painful, since EPEL 8 will be with us for another almost five years).

I can't rebase to the latest 2.x version, since v2.19.2 drops support for the OpenSSL provider. I don't know if anyone uses it in EPEL 8, but I don't feel comfortable dropping it so far in EPEL 8's maintenance cycle. But from the maintenance point of view this is fine, since with v2.19.1 all necessary CVE patches (and other bugfixes I cherry-picked along the way) apply cleanly.

Since the rebase also bumps libbotan-2.so from libbotan-2.so.12.12.1 to libbotan-2.so.19.19.1, packages that depend on it will need to be rebuilt, namely:

$ dnf repoquery --enablerepo "epel*" --whatrequires "libbotan-2.so*"
botan2-devel-0:2.12.1-4.el8.x86_64
corectrl-0:1.3.0-2.el8.x86_64
keepassxc-0:2.7.9-1.el8.x86_64
qca-qt5-botan-0:2.3.4-2.el8.x86_64

As I don't have provenpackage privileges, I created a side tag epel8-build-side-92634 with the rebased botan2 build (botan2-2.19.1-2.el8 ATTOW) and kindly ask the maintainers of the affected packages (CC'ed) to add their builds into it using:

$ fedpkg build --target=epel8-build-side-92634

Since this is my first multi-package build, please let me know if I messed anything up.

I can help with rebuilding dependent packages -- however, as this is an
incompatible upgrade you need to follow this process:

https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/

*sigh*, I knew I forgot something important. Apologies for that and many thanks for pointing it out!

We've clarified the policy at the last EPEL meeting:

https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/#process_for_incompatible_upgrades

you can now file the issue requesting an incompatible upgrade
immediately, and we'll schedule it for a vote after a week of discussion
- that way you don't need to remember to file it after a week has
   passed.

So if you file it anytime between now and Wednesday, we'll take this up
at next Wednesday's meeting.

Excellent, thank you! I just filed https://pagure.io/epel/issue/287.

Cheers,
Frantisek
--
_______________________________________________
epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Announce]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Linux Apps]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux