bug#24674: closed (Dropbear bundled libraries)

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#24674: closed (Dropbear bundled libraries)

From:	GNU bug Tracking System
Subject:	bug#24674: closed (Dropbear bundled libraries)
Date:	Sat, 19 Dec 2020 06:41:01 +0000

Your message dated Sat, 19 Dec 2020 01:40:46 -0500
with message-id <X92gbs8VWqe4T/Vh@jasmine.lan>
and subject line Re: bug#24674: Dropbear bundled libraries
has caused the debbugs.gnu.org bug report #24674,
regarding Dropbear bundled libraries
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
24674: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=24674
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

--- Begin Message --- Subject: Dropbear bundled libraries Date: Wed, 12 Oct 2016 11:15:03 -0400 User-agent: Mutt/1.7.0 (2016-08-17)

Our Dropbear package bundles the libraries libtommath and libtomcrypt
[0], and their bundled changelogs imply that they date from 2006.

The Dropbear CHANGES [1] file shows that some attempt has been made to
cherry-pick some bug fixes. It also looks like Dropbear has made their
own changes to the bundled libraries.

Apparently it is possible to build against non-bundled libraries [2].
Both libraries have had new releases in the last ten years [3].

It appears that Debian does use the bundled libraries [4].

In July, I asked Matt Johnston, the Dropbear author, how far the bundled
copies had diverged from upstream and if it was safe to unbundle them,
but I didn't get a response.

[0]
https://github.com/libtom
https://github.com/mkj/dropbear/tree/master/libtomcrypt
https://github.com/mkj/dropbear/tree/master/libtommath

[1]
https://github.com/mkj/dropbear/blob/master/CHANGES#L481

[2]
https://github.com/mkj/dropbear/blob/master/CHANGES#L532
"- Attempt to build against system libtomcrypt/libtommath if available.
This can be disabled with ./configure --enable-bundled-libtom"

[3]
https://github.com/libtom/libtomcrypt/releases
https://github.com/libtom/libtommath/releases

[4]
https://packages.debian.org/sid/dropbear

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message --- Subject: Re: bug#24674: Dropbear bundled libraries Date: Sat, 19 Dec 2020 01:40:46 -0500

On Fri, Dec 18, 2020 at 04:29:37PM -0500, Leo Famulari wrote:
> TODO:
> 1) Package libtomcrypt 1.18.2
> 2) Try building Dropbear with libtommath and libtomcrypt Guix packages

Packaging libtomcrypt is easy, but building Dropbear without using the
bundled libtom libraries is still not that simple. I tried building
Dropbear with "--disable-bundled-libtom" but the build scripts don't
automatically find the shared libraries.

My primary motivation for filing this bug was the risk of serious bugs
in the old copies of the libtom libraries.

Since Dropbear has upgraded their copies, makes enough modifications
that they think it's worth forking, and because using the external
libraries is complicated, I'm closing this bug as-is. But I'm also
leaving the comment in the Dropbear package definition.

--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

bug#24674: closed (Dropbear bundled libraries), GNU bug Tracking System <=

Prev by Date: bug#33636: closed (<issues.guix.info> not handling HTML attachments properly)
Next by Date: bug#34061: closed (bug: failed to compute derivation)
Previous by thread: bug#33636: closed (<issues.guix.info> not handling HTML attachments properly)
Next by thread: bug#34061: closed (bug: failed to compute derivation)
Index(es):
- Date
- Thread