Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libcotp for openSUSE:Factory checked in at 2026-04-29 19:20:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libcotp (Old) and /work/SRC/openSUSE:Factory/.libcotp.new.30200 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libcotp" Wed Apr 29 19:20:39 2026 rev:18 rq:1350010 version:4.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libcotp/libcotp.changes 2026-04-16 19:25:09.567760686 +0200 +++ /work/SRC/openSUSE:Factory/.libcotp.new.30200/libcotp.changes 2026-04-29 19:22:20.208121154 +0200 @@ -1,0 +2,32 @@ +Wed Apr 29 13:10:39 UTC 2026 - Paolo Stivanin <[email protected]> + +- Update to 4.1.0: + * otpauth:// URI parser and builder — full round-trip support + for the de-facto Google Authenticator URI format used by most + TOTP/HOTP apps and QR provisioning flows. + * Context API — bundle digits, period, and algo once with + cotp_ctx_create, then call cotp_ctx_totp / _hotp / _steam_totp + etc. without repeating the parameters. Contexts are immutable + and safe to share across threads. + * cotp_strerror — static, never-NULL human-readable description + for any cotp_error_t value. + * Public secure utilities — cotp_secure_memzero + (compiler-elision-proof zeroing) and cotp_timing_safe_memcmp + (constant-time compare) are now part of the public API, + so callers can scrub their own secret buffers and compare + secret-derived tokens with the same primitives the library + uses internally. + * HMAC errors are now propagated across all three backends + (gcrypt, OpenSSL, MbedTLS). Previously some backend failure + paths could silently produce invalid output. + * Base32 decoder rejects malformed padding counts (2, 5, 7, + >6) and data characters following padding, per RFC 4648. + * validate_totp_in_window is overflow-safe: window is clamped + to ±1024 periods, time arithmetic uses __builtin_*_overflow, + INT_MIN is handled, and the comparison is constant-time. + * otpauth:// URI parser rejects %00 payloads (which previously + caused silent NUL truncation of secrets). + * COTP_WUR (warn-unused-result) annotation applied to every + return-value-bearing public function. + +------------------------------------------------------------------- Old: ---- v4.0.1.tar.gz v4.0.1.tar.gz.asc New: ---- v4.1.0.tar.gz v4.1.0.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libcotp.spec ++++++ --- /var/tmp/diff_new_pack.petmdy/_old 2026-04-29 19:22:20.968152263 +0200 +++ /var/tmp/diff_new_pack.petmdy/_new 2026-04-29 19:22:20.972152427 +0200 @@ -24,7 +24,7 @@ %define libsoname %{name}4 Name: libcotp -Version: 4.0.1 +Version: 4.1.0 Release: 0 Summary: C library for generating TOTP and HOTP License: Apache-2.0 ++++++ v4.0.1.tar.gz -> v4.1.0.tar.gz ++++++ ++++ 2362 lines of diff (skipped)
