bug#24674: Dropbear bundled libraries
On Fri, Dec 18, 2020 at 04:29:37PM -0500, Leo Famulari wrote: > TODO: > 1) Package libtomcrypt 1.18.2 > 2) Try building Dropbear with libtommath and libtomcrypt Guix packages Packaging libtomcrypt is easy, but building Dropbear without using the bundled libtom libraries is still not that simple. I tried building Dropbear with "--disable-bundled-libtom" but the build scripts don't automatically find the shared libraries. My primary motivation for filing this bug was the risk of serious bugs in the old copies of the libtom libraries. Since Dropbear has upgraded their copies, makes enough modifications that they think it's worth forking, and because using the external libraries is complicated, I'm closing this bug as-is. But I'm also leaving the comment in the Dropbear package definition.
bug#24674: Dropbear bundled libraries
On Fri, Dec 18, 2020 at 08:53:23PM +0100, zimoun wrote: > with the last update 2020-10-29, I propose to mark it as ’severe’ and > put it in the list of bugs which should be fixed for the next (or > next-next) release. WDYT? Dropbear 2020.79 includes this text in the CHANGES file: -- - Upgrade libtomcrypt to 1.18.2 and libtommath to 1.2.0, many thanks to Steffen Jaeckel for updating Dropbear to use the current API. Dropbear's configure script will check for sufficient system library versions, otherwise using the bundled versions. -- And in 2020.80: -- - Improve checking libtomcrypt version compatibility -- So, it might be possible now to use "system" copies of these libraries. Previously, I couldn't figure out how to do it work or if Dropbear would continue to work correctly. We have a package of libtommath 1.2.0. TODO: 1) Package libtomcrypt 1.18.2 2) Try building Dropbear with libtommath and libtomcrypt Guix packages
bug#24674: Dropbear bundled libraries
Hi, On Wed, 12 Oct 2016 at 11:15, Leo Famulari wrote: > Our Dropbear package bundles the libraries libtommath and libtomcrypt > [0], and their bundled changelogs imply that they date from 2006. Since the package still contains the comment: --8<---cut here---start->8--- (arguments `(#:tests? #f)) ; there is no "make check" or anything similar ;; TODO: Investigate unbundling libtommath and libtomcrypt or at least ;; cherry-picking important bug fixes from them. See ;; for more information. --8<---cut here---end--->8--- with the last update 2020-10-29, I propose to mark it as ’severe’ and put it in the list of bugs which should be fixed for the next (or next-next) release. WDYT? All the best, simon
bug#24674: Dropbear bundled libraries
Our Dropbear package bundles the libraries libtommath and libtomcrypt [0], and their bundled changelogs imply that they date from 2006. The Dropbear CHANGES [1] file shows that some attempt has been made to cherry-pick some bug fixes. It also looks like Dropbear has made their own changes to the bundled libraries. Apparently it is possible to build against non-bundled libraries [2]. Both libraries have had new releases in the last ten years [3]. It appears that Debian does use the bundled libraries [4]. In July, I asked Matt Johnston, the Dropbear author, how far the bundled copies had diverged from upstream and if it was safe to unbundle them, but I didn't get a response. [0] https://github.com/libtom https://github.com/mkj/dropbear/tree/master/libtomcrypt https://github.com/mkj/dropbear/tree/master/libtommath [1] https://github.com/mkj/dropbear/blob/master/CHANGES#L481 [2] https://github.com/mkj/dropbear/blob/master/CHANGES#L532 "- Attempt to build against system libtomcrypt/libtommath if available. This can be disabled with ./configure --enable-bundled-libtom" [3] https://github.com/libtom/libtomcrypt/releases https://github.com/libtom/libtommath/releases [4] https://packages.debian.org/sid/dropbear signature.asc Description: PGP signature