Hi František, On Wed, Jul 17, 2024 at 10:36:01AM +0200, František Šumšal wrote: > > > > > > Due to a couple of CVEs I'll need to rebase botan2 in EPEL 8 to a > > > slightly less ancient version (which also brings me to [0], about which I > > > completely forgot after I took over the botan2 package, apologies for > > > that). I tried to cherry-pick just the necessary patches, but there's a > > > lot of conflicts/missing or moved files/etc. due to the version > > > difference so, in my opinion, doing a rebase is a way safer option here > > > (and it also makes future maintenance slightly less painful, since EPEL 8 > > > will be with us for another almost five years). > > > > > > I can't rebase to the latest 2.x version, since v2.19.2 drops support for > > > the OpenSSL provider. I don't know if anyone uses it in EPEL 8, but I > > > don't feel comfortable dropping it so far in EPEL 8's maintenance cycle. > > > But from the maintenance point of view this is fine, since with v2.19.1 > > > all necessary CVE patches (and other bugfixes I cherry-picked along the > > > way) apply cleanly. > > > > > > Since the rebase also bumps libbotan-2.so from libbotan-2.so.12.12.1 to > > > libbotan-2.so.19.19.1, packages that depend on it will need to be > > > rebuilt, namely: > > > > > > $ dnf repoquery --enablerepo "epel*" --whatrequires "libbotan-2.so*" > > > botan2-devel-0:2.12.1-4.el8.x86_64 > > > corectrl-0:1.3.0-2.el8.x86_64 > > > keepassxc-0:2.7.9-1.el8.x86_64 > > > qca-qt5-botan-0:2.3.4-2.el8.x86_64 > > > > > > As I don't have provenpackage privileges, I created a side tag > > > epel8-build-side-92634 with the rebased botan2 build (botan2-2.19.1-2.el8 > > > ATTOW) and kindly ask the maintainers of the affected packages (CC'ed) to > > > add their builds into it using: > > > > > > $ fedpkg build --target=epel8-build-side-92634 > > > > > > Since this is my first multi-package build, please let me know if I > > > messed anything up. > > > > > I can help with rebuilding dependent packages -- however, as this is an > > incompatible upgrade you need to follow this process: > > > > https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/ > > *sigh*, I knew I forgot something important. Apologies for that and many > thanks for pointing it out! > We've clarified the policy at the last EPEL meeting:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/#process_for_incompatible_upgrades you can now file the issue requesting an incompatible upgrade immediately, and we'll schedule it for a vote after a week of discussion - that way you don't need to remember to file it after a week has passed. So if you file it anytime between now and Wednesday, we'll take this up at next Wednesday's meeting. Best regards, -- _o) Michel Lind _( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
signature.asc
Description: PGP signature
-- _______________________________________________ epel-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
