Hi František, On Tue, Jul 16, 2024 at 02:08:23PM +0200, František Šumšal wrote: > Hey, > > Due to a couple of CVEs I'll need to rebase botan2 in EPEL 8 to a slightly > less ancient version (which also brings me to [0], about which I completely > forgot after I took over the botan2 package, apologies for that). I tried to > cherry-pick just the necessary patches, but there's a lot of > conflicts/missing or moved files/etc. due to the version difference so, in my > opinion, doing a rebase is a way safer option here (and it also makes future > maintenance slightly less painful, since EPEL 8 will be with us for another > almost five years). > > I can't rebase to the latest 2.x version, since v2.19.2 drops support for the > OpenSSL provider. I don't know if anyone uses it in EPEL 8, but I don't feel > comfortable dropping it so far in EPEL 8's maintenance cycle. But from the > maintenance point of view this is fine, since with v2.19.1 all necessary CVE > patches (and other bugfixes I cherry-picked along the way) apply cleanly. > > Since the rebase also bumps libbotan-2.so from libbotan-2.so.12.12.1 to > libbotan-2.so.19.19.1, packages that depend on it will need to be rebuilt, > namely: > > $ dnf repoquery --enablerepo "epel*" --whatrequires "libbotan-2.so*" > botan2-devel-0:2.12.1-4.el8.x86_64 > corectrl-0:1.3.0-2.el8.x86_64 > keepassxc-0:2.7.9-1.el8.x86_64 > qca-qt5-botan-0:2.3.4-2.el8.x86_64 > > As I don't have provenpackage privileges, I created a side tag > epel8-build-side-92634 with the rebased botan2 build (botan2-2.19.1-2.el8 > ATTOW) and kindly ask the maintainers of the affected packages (CC'ed) to add > their builds into it using: > > $ fedpkg build --target=epel8-build-side-92634 > > Since this is my first multi-package build, please let me know if I messed > anything up. > I can help with rebuilding dependent packages -- however, as this is an incompatible upgrade you need to follow this process:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/ Step one is this email; step two says you can build and submit to testing now if critical (but don't make it automatically request to stable based on time or karma) But given step 3 (discussion for a week) and (4) you need to file an issue and get approval at the EPEL meeting, you probably want to hold off on continuing for now. The meetings are on Wednesdays so we can take this up Wednesday next week if you file the EPEL issue next Tuesday (after allowing for a week of discussion). Best, -- _o) Michel Lind _( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
signature.asc
Description: PGP signature
-- _______________________________________________ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
