Your message dated Tue, 17 Feb 2026 10:40:32 +0100
with message-id <[email protected]>
and subject line Re: Bug#1126807: RFS: snuffleupagus/0.13.0-1 [RC] -- Security
module for php7 and php8
has caused the Debian Bug report #1126807,
regarding RFS: snuffleupagus/0.13.0+ds-1 [RC] -- Security module for php7 and
php8
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126807: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126807
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: sponsorship-requests
Severity: important
Dear mentors,
I am looking for a sponsor for my package "snuffleupagus":
* Package name : snuffleupagus
Version : 0.13.0-1
Upstream contact : Julien (jvoisin) Voisin
<[email protected]>
* URL : https://snuffleupagus.readthedocs.io
* License : LGPL-3, PHP-3.01
* Vcs : https://salsa.debian.org/cgzones/snuffleupagus
Section : php
The source builds the following binary packages:
php-snuffleupagus - Security module for php7 and php8
To access further information about this package, please visit the
following URL:
https://mentors.debian.net/package/snuffleupagus/
Alternatively, you can download the package with 'dget' using this command:
dget -x
https://mentors.debian.net/debian/pool/main/s/snuffleupagus/snuffleupagus_0.13.0-1.dsc
Changes since the last upload:
snuffleupagus (0.13.0-1) unstable; urgency=medium
.
* New upstream version 0.13.0
- fixes CVE-2026-22034
.
* Adjust to moved PHP 8 default rules
* d/control:
- drop priority and R^3 fields with default value
- bump to std version 4.7.3 (no further changes)
* d/watch: rewrite in version 5
* d/copyright: bump years
* d/patches: add nonstring attribute to fix GCC 15 build (Closes: #1126792)
Regards,
Christian Göttsche
--- End Message ---
--- Begin Message ---
Hi Christian,
thanks for the update; I have uploaded it, but I do have remarks in
regards to tweetnacl.
I understand that upstream is careful in regards to updating a crypto
library. Said that, comparing it with (what I believe is the canonical)
source of tweetnacl [1], there are already differnences, for example
upstream is using a signed variable instead of an unsigned variable as
loop counter… So I would ask upstream to clearify what they think is the
canonical source of tweetnacl (as I might be wrong) and why there are
differences.
[1] https://tweetnacl.cr.yp.to/software.html , version 20140427
On the other hand, tweetnacl is packaged in Debian, it is part of
https://tracker.debian.org/pkg/libcrypto++. The preferred way would be
to use that copy - I did not check if this is possible, tweetnacl.h
is identical with snuffleupagus's at least. libcryto++ even brings the
function randombytes() …
--> please consider using libcrypto++
If that is not possible, make sure to tell the security team about the
convenience copy.
--
Cheers,
tobi
signature.asc
Description: PGP signature
--- End Message ---
