On Tue, Jul 23, 2024 at 01:36:52PM +0200, František Šumšal wrote: > > On 7/19/24 05:42, Michel Lind wrote: > > Hi František, > > > > On Wed, Jul 17, 2024 at 10:36:01AM +0200, František Šumšal wrote: > > > > > > > > > > Due to a couple of CVEs I'll need to rebase botan2 in EPEL 8 to a slightly less ancient version (which also brings me to [0], about which I completely forgot after I took over the botan2 package, apologies for that). I tried to cherry-pick just the necessary patches, but there's a lot of conflicts/missing or moved files/etc. due to the version difference so, in my opinion, doing a rebase is a way safer option here (and it also makes future maintenance slightly less painful, since EPEL 8 will be with us for another almost five years). > > > > > > > > > > I can't rebase to the latest 2.x version, since v2.19.2 drops support for the OpenSSL provider. I don't know if anyone uses it in EPEL 8, but I don't feel comfortable dropping it so far in EPEL 8's maintenance cycle. But from the maintenance point of view this is fine, since with v2.19.1 all necessary CVE patches (and other bugfixes I cherry-picked along the way) apply cleanly. > > > > > > > > > > Since the rebase also bumps libbotan-2.so from libbotan-2.so.12.12.1 to libbotan-2.so.19.19.1, packages that depend on it will need to be rebuilt, namely: > > > > > > > > > > $ dnf repoquery --enablerepo "epel*" --whatrequires "libbotan-2.so*" > > > > > botan2-devel-0:2.12.1-4.el8.x86_64 > > > > > corectrl-0:1.3.0-2.el8.x86_64 > > > > > keepassxc-0:2.7.9-1.el8.x86_64 > > > > > qca-qt5-botan-0:2.3.4-2.el8.x86_64 > > > > > > > > > > As I don't have provenpackage privileges, I created a side tag epel8-build-side-92634 with the rebased botan2 build (botan2-2.19.1-2.el8 ATTOW) and kindly ask the maintainers of the affected packages (CC'ed) to add their builds into it using: > > > > > > > > > > $ fedpkg build --target=epel8-build-side-92634 > > > > > > > > > > Since this is my first multi-package build, please let me know if I messed anything up. > > > > > > > > > I can help with rebuilding dependent packages -- however, as this is an > > > > incompatible upgrade you need to follow this process: > > > > > > > > https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/ > > > > > > *sigh*, I knew I forgot something important. Apologies for that and many thanks for pointing it out! > > > > > We've clarified the policy at the last EPEL meeting: > > > > https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/#process_for_incompatible_upgrades > > > > you can now file the issue requesting an incompatible upgrade > > immediately, and we'll schedule it for a vote after a week of discussion > > - that way you don't need to remember to file it after a week has > > passed. > > > > So if you file it anytime between now and Wednesday, we'll take this up > > at next Wednesday's meeting. > > Excellent, thank you! I just filed https://pagure.io/epel/issue/287. > This has been approved at the meeting today. Yaakov (cc:ed) had some observations about one of the packages that he'll share here separately. Cheers, -- _o) Michel Lind _( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
Attachment:
signature.asc
Description: PGP signature
-- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue