Hey!
On 7/24/24 21:51, Michel Lind wrote:
On Tue, Jul 23, 2024 at 01:36:52PM +0200, František Šumšal wrote:
On 7/19/24 05:42, Michel Lind wrote:
Hi František,
On Wed, Jul 17, 2024 at 10:36:01AM +0200, František Šumšal wrote:
Due to a couple of CVEs I'll need to rebase botan2 in EPEL 8 to a slightly less
ancient version (which also brings me to [0], about which I completely forgot
after I took over the botan2 package, apologies for that). I tried to
cherry-pick just the necessary patches, but there's a lot of conflicts/missing
or moved files/etc. due to the version difference so, in my opinion, doing a
rebase is a way safer option here (and it also makes future maintenance
slightly less painful, since EPEL 8 will be with us for another almost five
years).
I can't rebase to the latest 2.x version, since v2.19.2 drops support for the
OpenSSL provider. I don't know if anyone uses it in EPEL 8, but I don't feel
comfortable dropping it so far in EPEL 8's maintenance cycle. But from the
maintenance point of view this is fine, since with v2.19.1 all necessary CVE
patches (and other bugfixes I cherry-picked along the way) apply cleanly.
Since the rebase also bumps libbotan-2.so from libbotan-2.so.12.12.1 to
libbotan-2.so.19.19.1, packages that depend on it will need to be rebuilt,
namely:
$ dnf repoquery --enablerepo "epel*" --whatrequires "libbotan-2.so*"
botan2-devel-0:2.12.1-4.el8.x86_64
corectrl-0:1.3.0-2.el8.x86_64
keepassxc-0:2.7.9-1.el8.x86_64
qca-qt5-botan-0:2.3.4-2.el8.x86_64
As I don't have provenpackage privileges, I created a side tag
epel8-build-side-92634 with the rebased botan2 build (botan2-2.19.1-2.el8
ATTOW) and kindly ask the maintainers of the affected packages (CC'ed) to add
their builds into it using:
$ fedpkg build --target=epel8-build-side-92634
Since this is my first multi-package build, please let me know if I messed
anything up.
I can help with rebuilding dependent packages -- however, as this is an
incompatible upgrade you need to follow this process:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/
*sigh*, I knew I forgot something important. Apologies for that and many thanks
for pointing it out!
We've clarified the policy at the last EPEL meeting:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/#process_for_incompatible_upgrades
you can now file the issue requesting an incompatible upgrade
immediately, and we'll schedule it for a vote after a week of discussion
- that way you don't need to remember to file it after a week has
passed.
So if you file it anytime between now and Wednesday, we'll take this up
at next Wednesday's meeting.
Excellent, thank you! I just filed https://pagure.io/epel/issue/287.
This has been approved at the meeting today. Yaakov (cc:ed) had some
observations about one of the packages that he'll share here separately.
Thank you! I reviewed and merged patches for the issues that were raised during
the meeting (thanks to all involved!) and built the package in a new side tag:
$ koji list-tagged epel8-build-side-93327
Build Tag Built by
---------------------------------------- -------------------- ----------------
botan2-2.19.1-4.el8 epel8-build-side-93327 mrc0mmand
Now it should be, hopefully, ready for rebuilds of the dependent packages by
either the respective maintainers (CC'ed) or by a proven packager.
Cheers,
Frantisek
--
_______________________________________________
epel-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
