On Tue, Jul 23, 2024 at 01:36:52PM +0200, František Šumšal wrote: > > On 7/19/24 05:42, Michel Lind wrote: > > Hi František, > > > > On Wed, Jul 17, 2024 at 10:36:01AM +0200, František Šumšal wrote: > > > > > > > > > > Due to a couple of CVEs I'll need to rebase botan2 in EPEL 8 to a > > > > > slightly less ancient version (which also brings me to [0], about > > > > > which I completely forgot after I took over the botan2 package, > > > > > apologies for that). I tried to cherry-pick just the necessary > > > > > patches, but there's a lot of conflicts/missing or moved files/etc. > > > > > due to the version difference so, in my opinion, doing a rebase is a > > > > > way safer option here (and it also makes future maintenance slightly > > > > > less painful, since EPEL 8 will be with us for another almost five > > > > > years). > > > > > > > > > > I can't rebase to the latest 2.x version, since v2.19.2 drops support > > > > > for the OpenSSL provider. I don't know if anyone uses it in EPEL 8, > > > > > but I don't feel comfortable dropping it so far in EPEL 8's > > > > > maintenance cycle. But from the maintenance point of view this is > > > > > fine, since with v2.19.1 all necessary CVE patches (and other > > > > > bugfixes I cherry-picked along the way) apply cleanly. > > > > > > > > > > Since the rebase also bumps libbotan-2.so from libbotan-2.so.12.12.1 > > > > > to libbotan-2.so.19.19.1, packages that depend on it will need to be > > > > > rebuilt, namely: > > > > > > > > > > $ dnf repoquery --enablerepo "epel*" --whatrequires "libbotan-2.so*" > > > > > botan2-devel-0:2.12.1-4.el8.x86_64 > > > > > corectrl-0:1.3.0-2.el8.x86_64 > > > > > keepassxc-0:2.7.9-1.el8.x86_64 > > > > > qca-qt5-botan-0:2.3.4-2.el8.x86_64 > > > > > > > > > > As I don't have provenpackage privileges, I created a side tag > > > > > epel8-build-side-92634 with the rebased botan2 build > > > > > (botan2-2.19.1-2.el8 ATTOW) and kindly ask the maintainers of the > > > > > affected packages (CC'ed) to add their builds into it using: > > > > > > > > > > $ fedpkg build --target=epel8-build-side-92634 > > > > > > > > > > Since this is my first multi-package build, please let me know if I > > > > > messed anything up. > > > > > > > > > I can help with rebuilding dependent packages -- however, as this is an > > > > incompatible upgrade you need to follow this process: > > > > > > > > https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/ > > > > > > *sigh*, I knew I forgot something important. Apologies for that and many > > > thanks for pointing it out! > > > > > We've clarified the policy at the last EPEL meeting: > > > > https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/#process_for_incompatible_upgrades > > > > you can now file the issue requesting an incompatible upgrade > > immediately, and we'll schedule it for a vote after a week of discussion > > - that way you don't need to remember to file it after a week has > > passed. > > > > So if you file it anytime between now and Wednesday, we'll take this up > > at next Wednesday's meeting. > > Excellent, thank you! I just filed https://pagure.io/epel/issue/287. > This has been approved at the meeting today. Yaakov (cc:ed) had some observations about one of the packages that he'll share here separately.
Cheers, -- _o) Michel Lind _( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
signature.asc
Description: PGP signature
-- _______________________________________________ epel-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
