On 2018-12-18 14:34:06, Emilio Pozuelo Monfort wrote: [...]
> Looking at a jessie -> jessie-new diff, I see that several -dbg packages are > gone in your backports. Yes. That's because they were switched to dbgsym in stretch, but that mecanism wasn't supported in jessie. I did a "fast" backport which meant just dropping those, but I could possibly re-create the -dbg packages for jessie-security, especially considering we might trigger bugs and regressions which could really use dbg/gdb support. > There are some mingw builds as well, which in some cases > don't seemto be installed, but e.g. libgpg-error actually adds a mingw > package. > I would remove all that stuff. Hmm... I *thought* I explicitely removed all that stuff, but i'll make sure to remove that one as well, thanks for the catch! > The npth diff is pretty trivial, basically comes down to this: > > src/npth.c | 132 ++++ Neat, I'll explicitely review that one then. > libassuan is a bit larger, but not too bad: > > $ diff libassuan-2.*/src/ | diffstat | tail -1 > 26 files changed, 1492 insertions(+), 510 deletions(-) > > (some of that is Makefile.in) Probably worth reviewing as well... > libgpg-error has some autogenerated stuff, ignoring that it's mostly this: > > estream.c | 1456 > +++++++++++++------ ... and same. > libgcrypt is a bit more worrying, even after dropping most of the noise: > > $ diff libgcrypt20-1.*/ | filterdiff -x '*.pc/*' -x '*/debian/*' -x > '*/tests/*' > | diffstat | tail -1 > 263 files changed, 51927 insertions(+), 14888 deletions(-) Yeah, that's my concern as well. Daniel, what do you think of that diff? Is that something we can reasonably review? How much can we expect stability in that upgrade? I know you stated before general principles of gpg vs lib / API stability, but I'd be curious to hear your thoughts on gcrypt, in this specific case. > FWIW I see that Ubuntu added OpenPGP.js back, and is using gnupg 2.0.x in > trusty. We ruled that out because supporting gnupg 2.0.x is unfeasible or > because we are missing some dependencies for OpenGPG.js ? Can't we just use > the > bundled code inside enigmail? Sorry if these questions have already been > answered. I have looked at the various long threads but wasn't sure. Yeah, I went down that rabbit hole... three months ago now! I documented my work in bug #787774. It's a complicated set of nesting dependencies, and many packages would first need to cross NEW in unstable (let alone stretch / jessie) before this lands in Debian. A summary of the situation is here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787774#49 I made a wiki page, back then, detailing all those dependencies. I am just re-running the script again to get an accurate picture: https://wiki.debian.org/Javascript/Nodejs/Tasks/openpgp That's all stuff in unstable, mind you. All that would need to trickle down in jessie somehow, and that includes npm/nodejs, which I am not sure are in good health in jessie in the first place. A. -- During times of universal deceit, telling the truth becomes a revolutionary act. - Georges Orwell