[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
This bug was fixed in the package libzip - 1.5.1-0ubuntu1 --- libzip (1.5.1-0ubuntu1) disco; urgency=medium * New upstream release (LP: #1674057) (Closes: #894813) - Removes custom AES implementation in favour of using standard crypto libs * Build with cmake, autotools support was dropped. * Bump debhelper to compat 11 * debian/control - Add Build-dep on libssl-dev and libbz2-dev * debian/libzip5.symbols: Update with new symbols * debian/rules: - Clean up Multi-arch support - set dh_missing to --fail-missing - Drop flags obsolete with dh 11 - Strip -Bsymbolic-functions link flag as it causes test failures * debian/libzip-dev.install: don't install static lib, its not built now * debian/libzip5.lintian-overrides: - override possible-gpl-code-linked-with-openssl, libzip is BSD licensed only the debian packaging is licensed under GPLv3 * debian/copyright: Update to reflect removed code -- Tim Lunn Tue, 27 Nov 2018 10:51:36 +1000 ** Changed in: libzip (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
** Changed in: libzip (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
also includes libzip 1.5.1 release from today -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
I have created a transition tracker (copied from Debian) http://people.canonical.com/~ubuntu-archive/transitions/html/libzip.html -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
Packaging should be good to go now, pending FFe approval. All remaining debian/patches are upstream cherry-picks that will be included in next upstream release. -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
** Description changed:
Feature Freeze Justification
This release fixes to two CVE's and most notably has removed its custom AES
crypto implementation with using openssl libraries. It is for the security
reasons I am requesting this FFe this late in the cycle.
Other Changes:
- A bunch of bug fixes
- A number of new features like bzip2 (this optional and could be disabled
for 18.04), improved AES encryption support, some of the new features are other
platforms only
- Breaks API (only 1 symbol was removed though), soname bump, so will require
a mini transition, all the 24 reverse-depends that I count are in universe.
Some are seeded in flavours (see below)
- Build system switched to Cmake in latest release
- Ark will build with libzip support where it didnt before
Testing:
It has a fairly comprehensive test suite, all tests are now passing.
I have run a test rebuild for all the rdepends in ppa:darkxst/libzip.
All built successfully, except for 2 packages, cbmc and plume-creater
- that had unrelated fallout due to gcc7 and other packaging changes.
+ that had unrelated fallout due to gcc7 and other packaging changes
+ (fixed on PPA).
Other Notes:
- - There are a bunch of presumably private symbols leaked into the debian
symbols file. Not ideal, but probably not the only package in the archive like
that.
- - Have forwarded upstream a couple of patches and will follow symbols later
+ - Various fixes (rpath, man page syntax, leaky private symbols and pkg-config
fixes) have been committed upstream and will be released soon in a 1.5.1
release, cherry-picked patches for now
- I will also push for the update into Debian
Build Logs:
-
https://launchpadlibrarian.net/363222435/buildlog_ubuntu-bionic-amd64.libzip_1.5.0-0ubuntu1~bionic3_BUILDING.txt.gz
+
https://launchpadlibrarian.net/363623662/buildlog_ubuntu-bionic-amd64.libzip_1.5.0-0ubuntu1~bionic6_BUILDING.txt.gz
Reverse-depends of libzip4 that are seeded:
ark (from ark) is seeded in:
kubuntu: daily-live
lubuntu-next: daily-live
ideviceinstaller is seeded in:
ubuntu-mate: daily-live
libepub0 is seeded in:
kubuntu: daily-live
ubuntustudio: dvd
libpstoedit0c2a is seeded in:
kubuntu: supported
okular-extra-backends is seeded in:
kubuntu: daily-live
Upstream Changelog
==
1.5.0 [2018-03-11]
==
* Use standard cryptographic library instead of custom AES implementation.
This also simplifies the license.
* Use `clang-format` to format the source code.
* More Windows improvements.
1.4.0 [2017-12-29]
==
* Improve build with cmake
* Retire autoconf/automake build system
* Add `zip_source_buffer_fragment()`.
* Add support to clone unchanged beginning of archive (instead of rewriting
it).
Supported for buffer sources and on Apple File System.
* Add support for Microsoft Universal Windows Platform.
1.3.2 [2017-11-20]
==
* Fix bug introduced in last: zip_t was erroneously freed if zip_close()
failed.
1.3.1 [2017-11-19]
==
* Install zipconf.h into ${PREFIX}/include
* Add zip_libzip_version()
* Fix AES tests on Linux
1.3.0 [2017-09-02]
==
* Support bzip2 compressed zip archives
* Improve file progress callback code
* Fix zip_fdopen()
* CVE-2017-12858: Fix double free()
* CVE-2017-14107: Improve EOCD64 parsing
1.2.0 [2017-02-19]
==
* Support for AES encryption (Winzip version), both encryption
and decryption
* Support legacy zip files with >64k entries
* Fix seeking in zip_source_file if start > 0
* Add zip_fseek() for seeking in uncompressed data
* Add zip_ftell() for telling position in uncompressed data
* Add zip_register_progress_callback() for UI updates during zip_close()
1.1.3 [2016-05-28]
==
* Fix build on Windows when using autoconf
** Patch added: "updated debdiff against debian experimental"
https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+attachment/5105030/+files/libzip_1.5.0-r3.debdiff
** Patch removed: "debdiff against version 1.3.2 in Debian experimental"
https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+attachment/5102221/+files/libzip_1.5.0-r2.debdiff
--
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1674057
Title:
[FFe] upgrade libzip to version 1.5.0
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions
--
kubuntu-bugs mailing list
kubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
I have been liasing with upstream to sort of the few remaining issues, they have been super responsive, and for the the most part those are fixed upstream, I will update the packaging with upstream fixes once I get back into range of a power point! in the next day or three. -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
** Description changed:
Feature Freeze Justification
This release fixes to two CVE's and most notably has removed its custom AES
crypto implementation with using openssl libraries. It is for the security
reasons I am requesting this FFe this late in the cycle.
Other Changes:
- A bunch of bug fixes
- A number of new features like bzip2 (this optional and could be disabled
for 18.04), improved AES encryption support, some of the new features are other
platforms only
- Breaks API (only 1 symbol was removed though), soname bump, so will require
a mini transition, all the 24 reverse-depends that I count are in universe.
Some are seeded in flavours (see below)
- Build system switched to Cmake in latest release
- Ark will build with libzip support where it didnt before
Testing:
- It has a fairly comprehensive test suite, but I did have to disable for now,
a few problematic tests that fail in the launchpad buildd chroots, but not
elsewhere like local machine or Debian schroot.
+ It has a fairly comprehensive test suite, all tests are now passing.
I have run a test rebuild for all the rdepends in ppa:darkxst/libzip.
All built successfully, except for 2 packages, cbmc and plume-creater
that had unrelated fallout due to gcc7 and other packaging changes.
Other Notes:
- There are a bunch of presumably private symbols leaked into the debian
symbols file. Not ideal, but probably not the only package in the archive like
that.
- - I will follow up with upstream issues for the RPATH stuff, tests and
symbols later
+ - Have forwarded upstream a couple of patches and will follow symbols later
- I will also push for the update into Debian
Build Logs:
https://launchpadlibrarian.net/363222435/buildlog_ubuntu-bionic-amd64.libzip_1.5.0-0ubuntu1~bionic3_BUILDING.txt.gz
Reverse-depends of libzip4 that are seeded:
ark (from ark) is seeded in:
kubuntu: daily-live
lubuntu-next: daily-live
ideviceinstaller is seeded in:
ubuntu-mate: daily-live
libepub0 is seeded in:
kubuntu: daily-live
ubuntustudio: dvd
libpstoedit0c2a is seeded in:
kubuntu: supported
okular-extra-backends is seeded in:
kubuntu: daily-live
Upstream Changelog
==
1.5.0 [2018-03-11]
==
* Use standard cryptographic library instead of custom AES implementation.
This also simplifies the license.
* Use `clang-format` to format the source code.
* More Windows improvements.
1.4.0 [2017-12-29]
==
* Improve build with cmake
* Retire autoconf/automake build system
* Add `zip_source_buffer_fragment()`.
* Add support to clone unchanged beginning of archive (instead of rewriting
it).
Supported for buffer sources and on Apple File System.
* Add support for Microsoft Universal Windows Platform.
1.3.2 [2017-11-20]
==
* Fix bug introduced in last: zip_t was erroneously freed if zip_close()
failed.
1.3.1 [2017-11-19]
==
* Install zipconf.h into ${PREFIX}/include
* Add zip_libzip_version()
* Fix AES tests on Linux
1.3.0 [2017-09-02]
==
* Support bzip2 compressed zip archives
* Improve file progress callback code
* Fix zip_fdopen()
* CVE-2017-12858: Fix double free()
* CVE-2017-14107: Improve EOCD64 parsing
1.2.0 [2017-02-19]
==
* Support for AES encryption (Winzip version), both encryption
and decryption
* Support legacy zip files with >64k entries
* Fix seeking in zip_source_file if start > 0
* Add zip_fseek() for seeking in uncompressed data
* Add zip_ftell() for telling position in uncompressed data
* Add zip_register_progress_callback() for UI updates during zip_close()
1.1.3 [2016-05-28]
==
* Fix build on Windows when using autoconf
** Patch added: "debdiff against version 1.3.2 in Debian experimental"
https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+attachment/5102221/+files/libzip_1.5.0-r2.debdiff
** Patch removed: "debdiff against version 1.3.2 in Debian experimental"
https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+attachment/5101199/+files/libzip_1.5.debdiff
--
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1674057
Title:
[FFe] upgrade libzip to version 1.5.0
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions
--
kubuntu-bugs mailing list
kubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
** Changed in: libzip (Debian) Status: Unknown => New -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
** Changed in: libzip (Ubuntu Bionic) Status: In Progress => New ** No longer affects: libzip (Ubuntu Bionic) ** Tags added: bionic -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
** Patch added: "debdiff against version 1.3.2 in Debian experimental" https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+attachment/5101199/+files/libzip_1.5.debdiff -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
** Description changed:
- Please consider upgrading libzip to the newest version (currently 1.20).
- It comes with important changes (details here:
- https://nih.at/libzip/NEWS.html) and also it's used by ark since commit
- ee74c157daf3604277ffcf10d2a89b2b59556dd7:
+ Feature Freeze Justification
+
+ This release fixes to two CVE's and most notably has removed its custom AES
crypto implementation with using openssl libraries. It is for the security
reasons I am requesting this FFe this late in the cycle.
- Add libzip plugin
- A new plugin for libzip was added. The plugin is only built if libzip
- 1.20 or higher is installed, but is the preferred plugin for zip
- archives.
+ Other Changes:
+ - A bunch of bug fixes
+ - A number of new features like bzip2 (this optional and could be disabled
for 18.04), improved AES encryption support, some of the new features are other
platforms only
+ - Breaks API (only 1 symbol was removed though), soname bump, so will require
a mini transition, all the 23-odd reverse-depends that I count are in universe.
+ - they appear to have dropped their custom AES implementation in favour of
using openssl (this should be a plus!)
+ - Build system switched to Cmake in latest release
+
+
+ Testing:
+ It has a fairly comprehensive test suite, but I did have to disable for now,
a few problematic tests that fail in the launchpad buildd chroots, but not
elsewhere like local machine or Debian schroot.
+
+ I have run a test rebuild for all the rdepends in ppa:darkxst/libzip.
+ All built successfully, except for 2 packages, cbmc and plume-creater
+ that had unrelated fallout due to gcc7 and other packaging changes.
+
+ Other Notes:
+ - There are a bunch of presumably private symbols leaked into the debian
symbols file. Not ideal, but probably not the only package in the archive like
that.
+ - I will follow up with upstream issues for the RPATH stuff, tests and
symbols later
+ - I will also push for the update into Debian
+
+ Build Logs:
+
https://launchpadlibrarian.net/363222435/buildlog_ubuntu-bionic-amd64.libzip_1.5.0-0ubuntu1~bionic3_BUILDING.txt.gz
+
+
+ Upstream Changelog
+ ==
+ 1.5.0 [2018-03-11]
+ ==
+
+ * Use standard cryptographic library instead of custom AES implementation.
+ This also simplifies the license.
+ * Use `clang-format` to format the source code.
+ * More Windows improvements.
+
+ 1.4.0 [2017-12-29]
+ ==
+
+ * Improve build with cmake
+ * Retire autoconf/automake build system
+ * Add `zip_source_buffer_fragment()`.
+ * Add support to clone unchanged beginning of archive (instead of rewriting
it).
+ Supported for buffer sources and on Apple File System.
+ * Add support for Microsoft Universal Windows Platform.
+
+ 1.3.2 [2017-11-20]
+ ==
+ * Fix bug introduced in last: zip_t was erroneously freed if zip_close()
failed.
+
+ 1.3.1 [2017-11-19]
+ ==
+
+ * Install zipconf.h into ${PREFIX}/include
+ * Add zip_libzip_version()
+ * Fix AES tests on Linux
+
+ 1.3.0 [2017-09-02]
+ ==
+
+ * Support bzip2 compressed zip archives
+ * Improve file progress callback code
+ * Fix zip_fdopen()
+ * CVE-2017-12858: Fix double free()
+ * CVE-2017-14107: Improve EOCD64 parsing
+
+ 1.2.0 [2017-02-19]
+ ==
+
+ * Support for AES encryption (Winzip version), both encryption
+ and decryption
+ * Support legacy zip files with >64k entries
+ * Fix seeking in zip_source_file if start > 0
+ * Add zip_fseek() for seeking in uncompressed data
+ * Add zip_ftell() for telling position in uncompressed data
+ * Add zip_register_progress_callback() for UI updates during zip_close()
+
+ 1.1.3 [2016-05-28]
+ ==
+
+ * Fix build on Windows when using autoconf
--
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1674057
Title:
[FFe] upgrade libzip to version 1.5.0
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions
--
kubuntu-bugs mailing list
kubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
** Summary changed: - [needs packaging] upgrade libzip to version 1.20 + [FFe] upgrade libzip to version 1.5.0 -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
