On 2022/12/30 02:06, Theo Buehler wrote: > I understand that it is a libcbor major bump. Why is the libfido2 bump > needed?
We can run into a problem with bumps with inter-library dependencies in base. If software from packages uses functions from both libraries, if you _don't_ bump major for libfido2, it will pull in the new fido2 lib (using new cbor abi), and depending on what ld.so decides, one or other version of libcbor, that can't satisfy abi requirements of bith new libfido2 and old binary. It resolves itself when new packages are installed, but that takes time. Now, I don't know if that actually happens with packages using fido2/cbor; could be that they only want libfido2 functions and don't use libcbor functions themselves, in which case there's no problem. It happens very often when X libraries are bumped, but they're used by more packages and there's higher likelihood of functions from both libraries actually being called (or structs being passed around and potentially copied incomplete, etc).
