purpose of GnuTLS versions

purpose of GnuTLS versions

[Jack Hill]

Hi Guix,

We currently have two versions of GnuTLS packaged: 3.7.2 represented by 
the `gnutls` variable and 3.7.7 represented by the `gnutls-latest` 
variable. `guix refresh -l` reports that changes to the 3.7.2 version 
would cause 14770 rebuilds, but only 30 rebuilds for the 3.7.7 version. As 
far as I can tell, neither version currently has a replacement (graft).

What is the purpose of these two versions? 3.7.7 is almost the current 
release [0], but 3.7.2 is an older release in the same series. GnuTLS does 
have two release series [1], stable and next, that correspond to 3.6.x and 
3.7.x numbering schemes.

It seems to me that the `gnutls` variable should refer to the latest 
"stable" release, and the `gnutls-latest` variable to latest "next" 
release. Does that make sense? What am I missing?

It appears that 3.7.2 has some unpatched advisories [2].

[0] https://issues.guix.gnu.org/61064
[1] https://gitlab.com/gnutls/gnutls/-/blob/master/RELEASES.md
[2] https://gnutls.org/security-new.html

Best,
Jack

Re: purpose of GnuTLS versions

[Simon Tournier]

Hi,

On Thu, 26 Jan 2023 at 00:12, Jack Hill <jackhill@jackhill.us> wrote:

> It seems to me that the `gnutls` variable should refer to the latest
> "stable" release, and the `gnutls-latest` variable to latest "next"
> release. Does that make sense? What am I missing?

This means a core-updates change – so next core-updates merge cycle? :-)

If I read correctly, core-updates already uses 3.7.7 for the variable
’gnutls’ and note that the variable ’gnutls-latest’ also uses 3.7.7. :-)

Cheers,
simon

Re: purpose of GnuTLS versions

[Jack Hill]

[-- Attachment #1: Type: text/plain, Size: 1248 bytes --]

On Thu, 26 Jan 2023, Simon Tournier wrote:

> Hi,
>
> On Thu, 26 Jan 2023 at 00:12, Jack Hill <jackhill@jackhill.us> wrote:
>
>> It seems to me that the `gnutls` variable should refer to the latest
>> "stable" release, and the `gnutls-latest` variable to latest "next"
>> release. Does that make sense? What am I missing?
>
> This means a core-updates change – so next core-updates merge cycle? :-)

Agreed, a change to the gnutls variable will need to go through 
core-updates. However, while the current situation does seem odd to me, 
I'm still not sure what the best resolution will be. "Downgrading" gnutls 
was only one option. Another option that I can think of is moving to only 
having one GnuTLS version, probably 3.7.x, and fixing problems via grafts 
in the master branch. In the meantime, we may want to move individual 
packages from gnutls to gnutls-latest or patch the known bugs in gnutls 
with grafts.

To help us decide, I've asked [0] the GnuTLS developers for their 
thoughts.

> If I read correctly, core-updates already uses 3.7.7 for the variable
> ’gnutls’ and note that the variable ’gnutls-latest’ also uses 3.7.7. :-)

:)

[0] https://lists.gnutls.org/pipermail/gnutls-help/2023-January/004813.html

Best,
Jack

Re: purpose of GnuTLS versions

[Jack Hill]

On Mon, 30 Jan 2023, Jack Hill wrote:

> To help us decide, I've asked [0] the GnuTLS developers for their thoughts.

I was directed to an older thread [0] which provides some more insight. 
Having read that, I propose to moving to just one gnutls version in 
core-updates. Thoughts?

Then there's the question of what to do in the meantime for master. Grafts 
for 3.7.2? Move packages to 3.7.7?

[0] https://lists.gnutls.org/pipermail/gnutls-help/2022-September/004748.html

Best,
Jack

Re: purpose of GnuTLS versions

[Ludovic Courtès]

Hi Jack,

Jack Hill <jackhill@jackhill.us> skribis:

> We currently have two versions of GnuTLS packaged: 3.7.2 represented
> by the `gnutls` variable and 3.7.7 represented by the `gnutls-latest`
> variable. `guix refresh -l` reports that changes to the 3.7.2 version
> would cause 14770 rebuilds, but only 30 rebuilds for the 3.7.7
> version. As far as I can tell, neither version currently has a
> replacement (graft).

‘gnutls-latest’ was initially added to provide up-to-date Guile
bindings, since Guile bindings were part of GnuTLS.

Since a couple of months ago, Guile bindings live in a separate repo,
but the new ‘guile-gnutls’ package depends on ‘gnutls-latest’, which no
longer depends on Guile (whereas ‘gnutls’ still depends on Guile).

> It seems to me that the `gnutls` variable should refer to the latest
> "stable" release, and the `gnutls-latest` variable to latest "next"
> release. Does that make sense? What am I missing?

As Simon pointed out, that’s for ‘core-updates’.

> It appears that 3.7.2 has some unpatched advisories [2].

Ouch, then we probably need a ‘replacement’.  Would you like to give it
a try?

Thanks for the heads-up!

Ludo’.

Re: purpose of GnuTLS versions

[Ludovic Courtès]

Jack Hill <jackhill@jackhill.us> skribis:

> On Mon, 30 Jan 2023, Jack Hill wrote:
>
>> To help us decide, I've asked [0] the GnuTLS developers for their thoughts.
>
> I was directed to an older thread [0] which provides some more
> insight. Having read that, I propose to moving to just one gnutls
> version in core-updates. Thoughts?

Agreed!  Make sure Guile is removed from its inputs.

> Then there's the question of what to do in the meantime for
> master. Grafts for 3.7.2? Move packages to 3.7.7?

Graft, after making sure both versions are ABI-compatible (it should be
the case).

Thanks!

Ludo’.

Re: purpose of GnuTLS versions

[Jack Hill]

[-- Attachment #1: Type: text/plain, Size: 1153 bytes --]

On Tue, 31 Jan 2023, Ludovic Courtès wrote:

> Jack Hill <jackhill@jackhill.us> skribis:
>
>> Then there's the question of what to do in the meantime for
>> master. Grafts for 3.7.2? Move packages to 3.7.7?
>
> Graft, after making sure both versions are ABI-compatible (it should be
> the case).

Unfortunately, we may not be so lucky. ABI Laboratory* reports that were 
some changes in 3.7.3 [0]. Does that look like it would be problem? For 
reference, the fixes for the announced security advisories looks small 
enough that a backport is feasible (although I haven't tried yet) [1][2].

* I don't know if we have ABI checking tools in Guix. The ones that power 
ABI Laboratory look like candidates for packaging though.

[0] https://abi-laboratory.pro/index.php?view=compat_report&l=gnutls&v1=3.7.2&v2=3.7.3&obj=0a750&kind=abi#Symbol_Problems_High
[1] https://gitlab.com/dueno/gnutls/-/commit/22f837ba0bc7d13c3d738a8583566368fc12aee1
[2] https://gitlab.com/gnutls/gnutls/-/merge_requests/1615/diffs

Anyways, I'm of course happy to propose some patches (keeping in mind the 
usual competition for my time, so it might be a couple days).

Best,
Jack

Re: purpose of GnuTLS versions

[Ludovic Courtès]

Hello!

Jack Hill <jackhill@jackhill.us> skribis:

> On Tue, 31 Jan 2023, Ludovic Courtès wrote:
>
>> Jack Hill <jackhill@jackhill.us> skribis:
>>
>>> Then there's the question of what to do in the meantime for
>>> master. Grafts for 3.7.2? Move packages to 3.7.7?
>>
>> Graft, after making sure both versions are ABI-compatible (it should be
>> the case).
>
> Unfortunately, we may not be so lucky. ABI Laboratory* reports that
> were some changes in 3.7.3 [0].

I would recommend checking by running ‘abidiff’ (from the ‘libabigail’
package) on our own binaries, to be sure.

If there are only additions (new symbols), which is what I would expect,
then we’re fine.  If there were deletions (unlikely), then we may have a
problem.

HTH!

Ludo’.