On 2/3/23 8:04 AM, Pete Walter wrote: > I took over libgit2 from Igor when he gave up all his packages and have > since tried to get it up to date. libgit2 is a bit special because it > bumps soname every once in a while and then other packages often fail to > rebuild against the new version both because of libgit2 API changes and > because they are FTBFS due to unrelated issues (hi new gcc). libgit2 is > also network facing and due to this has a high number of security issues > so it is very important to keep it up to date. > > I think I have a good plan now how to keep it up to date without too > much disruption and it is as follows: > > Update libgit2 to new version in rawhide as soon as it is released. At > the same time, create a compat package for the old API and add it to > rawhide. Keep the old API compat package in rawhide for 6 months or as > long as it takes for everything to switch over to the latest version. > > Today, we have 3 versions in rawhide (libgit2 was updated from 1.3.x to > 1.4.x and then 1.5.x over the last month and the compat packages were > added today): > > libgit2 package with version 1.5.1 (security supported still from upstream) > libgit2_1.4 package with version 1.4.5 (security supported still from > upstream) > libgit2_1.3 package with version 1.3.2 (EOL upstream) Thank you for taking care of this! I've had rust (subpkg cargo) using its own bundled copy due to the lack of updates, but I'll happily flip that back. Since Rust bootstraps itself, it's important to always have the old version working while I rebuild to a new version, but the compat scheme should be fine -- we do the same for LLVM libs. (Note regarding that 1.5.1 security issue, cargo fixed it independently in 1.66.1, so there's no bundling worry about that one.) > I intend to retire libgit2_1.3 as soon as git-time-metric > (https://bugzilla.redhat.com/show_bug.cgi?id=2162852 > <https://bugzilla.redhat.com/show_bug.cgi?id=2162852>) and > golang-github-libgit2-git2go > (https://bugzilla.redhat.com/show_bug.cgi?id=2152113 > <https://bugzilla.redhat.com/show_bug.cgi?id=2152113)>) are fixed. > I intend to retire libgit2_1.4 as soon as julia > (https://bugzilla.redhat.com/show_bug.cgi?id=2165534 > <https://bugzilla.redhat.com/show_bug.cgi?id=2165534>) and > rpm-git-tag-sort (https://bugzilla.redhat.com/show_bug.cgi?id=2165535 > <https://bugzilla.redhat.com/show_bug.cgi?id=2165535>) are fixed. > > The rest of the dependencies are already rebuilt to use libgit2. > > I think this kind of compat package system could even allow updating > libgit2 to latest versions in stable Fedora branches and in EPEL. I want > to test this out in rawhide first though and see if it works well enough. > > Pete > > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue