[bug#30448] Update librsync to 2.0.1

[bug#30448] Update librsync to 2.0.1

[Leo Famulari]

[-- Attachment #1.1: Type: text/plain, Size: 635 bytes --]

librsync 2.0.1 is available at a new upstream URL:

https://github.com/librsync/librsync/releases

Patch attached.

This would also include the fix for CVE-2014-8242, which is about use of
a cryptographically broken hash function (truncated MD4), released in
librsync 1.0.0.

However, at least btar and rdiff-backup aren't compatible with this new
version of librsync (I'm still building deja-dup to test its
compatibility).

Additionally, I noticed that the built package doesn't keep any
references to bzip2 or zlib, which seems wrong to me.

Is anyone using one of the dependent packages interested in looking more
closely at this?

[-- Attachment #1.2: 0001-gnu-librsync-Update-to-2.0.1.patch --]
[-- Type: text/plain, Size: 3407 bytes --]

From f89c21668a82a78bdc7b7bf5d2a0a3418032b582 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Tue, 13 Feb 2018 13:50:26 -0500
Subject: [PATCH] gnu: librsync: Update to 2.0.1.

* gnu/packages/rsync.scm (librsync): Update to 2.0.1.
[source]: Update source URL.
[build-system]: Use cmake-build-system.
[inputs]: Add bzip2, popt, and zlib.
[arguments]: Remove field.
---
 gnu/packages/rsync.scm | 27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/gnu/packages/rsync.scm b/gnu/packages/rsync.scm
index 4fed03523..6f4c1aec9 100644
--- a/gnu/packages/rsync.scm
+++ b/gnu/packages/rsync.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -21,12 +22,15 @@
 
 (define-module (gnu packages rsync)
   #:use-module (gnu packages)
-  #:use-module (gnu packages perl)
   #:use-module (gnu packages acl)
   #:use-module (gnu packages base)
-  #:use-module (guix licenses)
+  #:use-module (gnu packages compression)
+  #:use-module (gnu packages perl)
+  #:use-module (gnu packages popt)
+  #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu))
 
 
@@ -51,25 +55,28 @@ to/from another host over any remote shell, or to/from a remote rsync daemon.
 Its delta-transfer algorithm reduces the amount of data sent over the network
 by sending only the differences between the source files and the existing
 files in the destination.")
-   (license gpl3+)
+   (license license:gpl3+)
    (home-page "http://rsync.samba.org/")))
 
 (define-public librsync
   (package
     (name "librsync")
-    (version "0.9.7")
+    (version "2.0.1")
        (source (origin
             (method url-fetch)
-            (uri (string-append "mirror://sourceforge/librsync/librsync/"
-                                version "/librsync-" version ".tar.gz"))
+            (uri (string-append "https://github.com/librsync/librsync/archive/v"
+                                version ".tar.gz"))
             (sha256
              (base32
-              "1mj1pj99mgf1a59q9f2mxjli2fzxpnf55233pc1klxk2arhf8cv6"))))
-   (build-system gnu-build-system)
+              "0pk2a9kpwlpxjn35v8m03wmxz0lv56kq1chs3yi75z543826kkkg"))))
+   (build-system cmake-build-system)
+   (inputs
+    `(("bzip2" ,bzip2)
+      ("popt" ,popt)
+      ("zlib" ,zlib)))
    (native-inputs
     `(("which" ,which)
       ("perl" ,perl)))
-   (arguments '(#:configure-flags '("--enable-shared")))
    (home-page "http://librsync.sourceforge.net/")
    (synopsis "Implementation of the rsync remote-delta algorithm")
    (description
@@ -78,4 +85,4 @@ remote-delta algorithm.  This algorithm allows efficient remote updates of a
 file, without requiring the old and new versions to both be present at the
 sending end.  The library uses a \"streaming\" design similar to that of zlib
 with the aim of allowing it to be embedded into many different applications.")
-   (license lgpl2.1+)))
+   (license license:lgpl2.1+)))
-- 
2.16.1


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#30448] Update librsync to 2.0.1

[Ludovic Courtès]

Hello,

Leo Famulari <leo@famulari.name> skribis:

> Is anyone using one of the dependent packages interested in looking more
> closely at this?

I’m not using it, but at first sight the patch LGTM.

Thanks,
Ludo’.

[bug#30448] Update librsync to 2.0.1

[Ludovic Courtès]

ludo@gnu.org (Ludovic Courtès) skribis:

> Leo Famulari <leo@famulari.name> skribis:
>
>> Is anyone using one of the dependent packages interested in looking more
>> closely at this?
>
> I’m not using it, but at first sight the patch LGTM.

Ping!  :-)

[bug#30448] Breaking rdiff-backup and btar (was Re: [bug#30448] Update librsync to 2.0.1)

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 979 bytes --]

On Mon, Apr 23, 2018 at 02:58:17PM +0200, Ludovic Courtès wrote:
> ludo@gnu.org (Ludovic Courtès) skribis:
> 
> > Leo Famulari <leo@famulari.name> skribis:
> >
> >> Is anyone using one of the dependent packages interested in looking more
> >> closely at this?
> >
> > I’m not using it, but at first sight the patch LGTM.
> 
> Ping!  :-)

My understanding is this update will break btar and rdiff-backup.

I suspect this will annoy some Guix users. Plus, I don't know if these
projects make an effort to detect MD4 collisions or not; perhaps they
are safe to use despite the broken librsync dependency.

We could add an old librsync package variant for those packages, but we
should add a note about the reliance on MD4.

I'll wait a few days for more feedback.

PS — this issue highlighted for me that the duplicity backup program
also depends on librsync with MD4. For recent versions of librsync,
duplicity forces librsync to fallback to MD4...

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#30448] Breaking rdiff-backup and btar (was Re: [bug#30448] Update librsync to 2.0.1)

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> PS — this issue highlighted for me that the duplicity backup program
> also depends on librsync with MD4. For recent versions of librsync,
> duplicity forces librsync to fallback to MD4...

Woow, it does sound like a problem.  :-/

Thanks for the clarification,
Ludo’.

[bug#30448] Breaking rdiff-backup and btar (was Re: [bug#30448] Update librsync to 2.0.1)

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 757 bytes --]

On Tue, Apr 24, 2018 at 10:30:14PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > PS — this issue highlighted for me that the duplicity backup program
> > also depends on librsync with MD4. For recent versions of librsync,
> > duplicity forces librsync to fallback to MD4...
> 
> Woow, it does sound like a problem.  :-/

Yeah, it makes me wonder if duplicity is still maintained or not...
A few years ago there was some discussion of making duplicity compatible
with librsync's new BLAKE2 message digests, but I guess the work has
stalled.

Btw, the affected packages (btar, rdiff-backup, and duplicity) are the
only users of librsync in Guix. So I think there is no reason to
update librsync for now.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#30448] Breaking rdiff-backup and btar (was Re: [bug#30448] Update librsync to 2.0.1)

[Oleg Pykhalov]

[-- Attachment #1: Type: text/plain, Size: 351 bytes --]

Hello,

Leo Famulari <leo@famulari.name> writes:

[…]

> Yeah, it makes me wonder if duplicity is still maintained or not...

The upstream does maintain duplicity.  Also I did a version update
0.7.12 -> 0.7.17 in our package recipe.  I hope to send it to Guix
patches mailing list after testing it myself for some time.

[…]

Oleg.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

bug#30448: Breaking rdiff-backup and btar (was Re: [bug#30448] Update librsync to 2.0.1)

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 257 bytes --]

On Wed, Apr 25, 2018 at 01:23:33PM -0400, Leo Famulari wrote:
> Btw, the affected packages (btar, rdiff-backup, and duplicity) are the
> only users of librsync in Guix. So I think there is no reason to
> update librsync for now.

Closing this bug ticket...

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#30448] [PATCH] gnu: librsync: Update to 2.0.2.

[Leo Famulari]

* gnu/packages/rsync.scm (librsync): Update to 2.0.2.
[source]: Update source URL.
[build-system]: Use cmake-build-system.
[inputs]: Add popt.
[arguments]: Remove field.
(librsync-0.9): New variable.
(btar, duplicity, rdiff-backup)[inputs]: Use librsync-0.9.
---
 gnu/packages/backup.scm |  6 +++---
 gnu/packages/rsync.scm  | 40 ++++++++++++++++++++++++++++++----------
 2 files changed, 33 insertions(+), 13 deletions(-)

diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 970d0adb06..64a02a1b7e 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -95,7 +95,7 @@
      `(("lockfile" ,python2-lockfile)
        ("urllib3" ,python2-urllib3)))
     (inputs
-     `(("librsync" ,librsync)
+     `(("librsync" ,librsync-0.9)
        ("lftp" ,lftp)
        ("gnupg" ,gnupg)                 ; gpg executable needed
        ("util-linux" ,util-linux)       ; for setsid
@@ -362,7 +362,7 @@ list and implement the backup strategy.")
          "0miklk4bqblpyzh1bni4x6lqn88fa8fjn15x1k1n8bxkx60nlymd"))))
     (build-system gnu-build-system)
     (inputs
-     `(("librsync" ,librsync)))
+     `(("librsync" ,librsync-0.9)))
     (arguments
      `(#:make-flags `(,(string-append "PREFIX=" (assoc-ref %outputs "out"))
                       "CC=gcc")
@@ -395,7 +395,7 @@ errors.")
     (build-system python-build-system)
     (inputs
      `(("python" ,python-2)
-       ("librsync" ,librsync)))
+       ("librsync" ,librsync-0.9)))
     (arguments
      `(#:python ,python-2
        #:tests? #f))
diff --git a/gnu/packages/rsync.scm b/gnu/packages/rsync.scm
index 4fed03523e..b20b841478 100644
--- a/gnu/packages/rsync.scm
+++ b/gnu/packages/rsync.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2019 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -21,12 +22,15 @@
 
 (define-module (gnu packages rsync)
   #:use-module (gnu packages)
-  #:use-module (gnu packages perl)
   #:use-module (gnu packages acl)
   #:use-module (gnu packages base)
-  #:use-module (guix licenses)
+  #:use-module (gnu packages compression)
+  #:use-module (gnu packages perl)
+  #:use-module (gnu packages popt)
+  #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu))
 
 
@@ -51,25 +55,26 @@ to/from another host over any remote shell, or to/from a remote rsync daemon.
 Its delta-transfer algorithm reduces the amount of data sent over the network
 by sending only the differences between the source files and the existing
 files in the destination.")
-   (license gpl3+)
+   (license license:gpl3+)
    (home-page "http://rsync.samba.org/")))
 
 (define-public librsync
   (package
     (name "librsync")
-    (version "0.9.7")
+    (version "2.0.2")
        (source (origin
             (method url-fetch)
-            (uri (string-append "mirror://sourceforge/librsync/librsync/"
-                                version "/librsync-" version ".tar.gz"))
+            (uri (string-append "https://github.com/librsync/librsync/archive/v"
+                                version ".tar.gz"))
             (sha256
              (base32
-              "1mj1pj99mgf1a59q9f2mxjli2fzxpnf55233pc1klxk2arhf8cv6"))))
-   (build-system gnu-build-system)
+              "1waa581pcscc1rnvy06cj584k5dx0dc7jj79wsdj7xw4xqh9ayz6"))))
+   (build-system cmake-build-system)
+   (inputs
+    `(("popt" ,popt)))
    (native-inputs
     `(("which" ,which)
       ("perl" ,perl)))
-   (arguments '(#:configure-flags '("--enable-shared")))
    (home-page "http://librsync.sourceforge.net/")
    (synopsis "Implementation of the rsync remote-delta algorithm")
    (description
@@ -78,4 +83,19 @@ remote-delta algorithm.  This algorithm allows efficient remote updates of a
 file, without requiring the old and new versions to both be present at the
 sending end.  The library uses a \"streaming\" design similar to that of zlib
 with the aim of allowing it to be embedded into many different applications.")
-   (license lgpl2.1+)))
+   (license license:lgpl2.1+)))
+
+(define-public librsync-0.9
+  (package
+    (inherit librsync)
+    (version "0.9.7")
+        (source (origin
+             (method url-fetch)
+            (uri (string-append "mirror://sourceforge/librsync/librsync/"
+                                version "/librsync-" version ".tar.gz"))
+             (sha256
+              (base32
+              "1mj1pj99mgf1a59q9f2mxjli2fzxpnf55233pc1klxk2arhf8cv6"))))
+    (build-system gnu-build-system)
+    (arguments '(#:configure-flags '("--enable-shared")))
+    (inputs '())))
-- 
2.20.1

[bug#30448] Update librsync to 2.0.1

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 337 bytes --]

On Wed, Apr 25, 2018 at 01:23:33PM -0400, Leo Famulari wrote:
> Btw, the affected packages (btar, rdiff-backup, and duplicity) are the
> only users of librsync in Guix. So I think there is no reason to
> update librsync for now.

Since a new librsync user, burp, has been added to Guix, I've submitted
an updated revision of this patch.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#30448: Update librsync to 2.0.1

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 225 bytes --]

On Wed, Feb 13, 2019 at 04:30:24PM -0500, Leo Famulari wrote:
> Since a new librsync user, burp, has been added to Guix, I've submitted
> an updated revision of this patch.

Pushed as 584dbd8568cca381682fb682b7daf7aa37bc7df8

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]