From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#24674: Dropbear bundled libraries Date: Wed, 12 Oct 2016 11:15:03 -0400 Message-ID: <20161012151503.GA22149@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51359) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buLGL-0004Fh-Gs for bug-guix@gnu.org; Wed, 12 Oct 2016 11:16:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1buLGF-0002aK-HO for bug-guix@gnu.org; Wed, 12 Oct 2016 11:16:08 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:46997) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buLGE-0002aE-BW for bug-guix@gnu.org; Wed, 12 Oct 2016 11:16:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1buLGE-00087O-7f for bug-guix@gnu.org; Wed, 12 Oct 2016 11:16:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51176) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buLFT-0003rD-Iw for bug-guix@gnu.org; Wed, 12 Oct 2016 11:15:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1buLFO-0002Oc-IG for bug-guix@gnu.org; Wed, 12 Oct 2016 11:15:15 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:35196) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buLFN-0002Kv-8d for bug-guix@gnu.org; Wed, 12 Oct 2016 11:15:10 -0400 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 14D6AF29D1 for ; Wed, 12 Oct 2016 11:15:05 -0400 (EDT) Content-Disposition: inline List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 24674@debbugs.gnu.org --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Our Dropbear package bundles the libraries libtommath and libtomcrypt [0], and their bundled changelogs imply that they date from 2006. The Dropbear CHANGES [1] file shows that some attempt has been made to cherry-pick some bug fixes. It also looks like Dropbear has made their own changes to the bundled libraries. Apparently it is possible to build against non-bundled libraries [2]. Both libraries have had new releases in the last ten years [3]. It appears that Debian does use the bundled libraries [4]. In July, I asked Matt Johnston, the Dropbear author, how far the bundled copies had diverged from upstream and if it was safe to unbundle them, but I didn't get a response. [0] https://github.com/libtom https://github.com/mkj/dropbear/tree/master/libtomcrypt https://github.com/mkj/dropbear/tree/master/libtommath [1] https://github.com/mkj/dropbear/blob/master/CHANGES#L481 [2] https://github.com/mkj/dropbear/blob/master/CHANGES#L532 "- Attempt to build against system libtomcrypt/libtommath if available. This can be disabled with ./configure --enable-bundled-libtom" [3] https://github.com/libtom/libtomcrypt/releases https://github.com/libtom/libtommath/releases [4] https://packages.debian.org/sid/dropbear --AqsLC8rIMeq19msA Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJX/lN3AAoJECZG+jC6yn8IvvsQAK/VFIzM1ho2EWMIZmPnMlBJ OKS0mY+Yuucwin+kMtKuw0IP8Rmf889LMP4vNbs9uT+3GtKuH/0FwoLBZb4yNUAv AFwB/upPsKrL6wCY/FNpO51yjWtWb0hCPzmqHNQk2MWJc+D/zlySkip4K5hLGeV3 YiBR5iWfsdOSyqvM4GKR6HIMuYa8qAGVsaHwW/sGi5UXeYFYNs+thOYr5soSY/nw QXcoHHjC+mlt6QA3ut2PHMH2PHv2o7LzXNIoMUOQsW4TnXeoqh2Y8NPNs1uezV+4 FgP21G8xSwjVSySGuYPbqIEGUsPaUrVeXd8xbZ+71HVIIXoKFttXj6jO/bpzloqZ +6m+k/uHz+WfSQYOFMilOokhxzf76Kik8lLZdppd0r/vaM/LPsbea+B8EZTdP5ZJ Wpu2JZPRIFraloAfe3xZ3O+n+UzNvzi3X3aC+J0wVrKPleRECpLWtjOBq+G/hKoh 5tD4fYLRsNtNe9sCKcaMyEj2wy0VLqFCbIFaI62d9Wcj/mq6LcjiSgO5cHKnSeEh gOjlYAoUH4cbC8bTRBQblfT2WeFsCyfewL67t5kWPwRt1GPMkct7U3ebQ7ruj94Z yXuzHbecdx43QKZHEqxrT4ICuchAXv94rVr6i8JrYWRH9RXRAi2WhbDahljfH7cW x7+wVZq+SRyluow3O/Aw =X/IN -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA--