Graham Inggs <gin...@debian.org> writes: > we have identified nettle as a source package shipping runtime > libraries whose ABI either is affected by the change in size of > time_t, or could not be analyzed via abi-compliance-checker (and > therefore to be on the safe side we assume is affected).
It looks like these are the uses of time_t in nettle: $ git grep time_t pgp-encode.c: time_t timestamp) pgp.h: time_t timestamp); rsa2openpgp.c: time_t now = time(NULL); This is a bit unfortunate. This code was added in 2003 in an effort to provide support for public keys and signatures in openpgp format, but that code is neither in a good shape or at all documented. But the code *is* exposed by the shared library ABI, so I'm afraid the ABI technically depends on the size of time_t. However, this code is in the *libhogweed* so-file, so transitioning *libnettle* is probably not needed. In debian code search, I find exactly one match outside of nettle for the nettle/pgp.h header file declaring the affected functions: https://sources.debian.org/src/rust-nettle-sys/2.2.0-2/bindgen-wrapper.h/?hl=40#L40. I don't find any calls to the problematic functions themselves, which are rsa_keypair_to_openpgp and pgp_put_public_rsa_key. (The code in question wants to write the timestamp into an openpgp public key packet, and uses a 32-bit wire format for that. See https://sources.debian.org/src/nettle/3.9.1-2/pgp-encode.c/#L235. I have not been following openpgp developments, but I would hope there's some protocol update to support a larger time stamp?) Regards, /Niels -- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance.
