GNU bug report logs -
#24674
Dropbear bundled libraries
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Wed, 12 Oct 2016 15:16:02 UTC
Severity: normal
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 24674 in the body.
You can then email your comments to 24674 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#24674; Package
guix.
(Wed, 12 Oct 2016 15:16:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Wed, 12 Oct 2016 15:16:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Our Dropbear package bundles the libraries libtommath and libtomcrypt
[0], and their bundled changelogs imply that they date from 2006.
The Dropbear CHANGES [1] file shows that some attempt has been made to
cherry-pick some bug fixes. It also looks like Dropbear has made their
own changes to the bundled libraries.
Apparently it is possible to build against non-bundled libraries [2].
Both libraries have had new releases in the last ten years [3].
It appears that Debian does use the bundled libraries [4].
In July, I asked Matt Johnston, the Dropbear author, how far the bundled
copies had diverged from upstream and if it was safe to unbundle them,
but I didn't get a response.
[0]
https://github.com/libtom
https://github.com/mkj/dropbear/tree/master/libtomcrypt
https://github.com/mkj/dropbear/tree/master/libtommath
[1]
https://github.com/mkj/dropbear/blob/master/CHANGES#L481
[2]
https://github.com/mkj/dropbear/blob/master/CHANGES#L532
"- Attempt to build against system libtomcrypt/libtommath if available.
This can be disabled with ./configure --enable-bundled-libtom"
[3]
https://github.com/libtom/libtomcrypt/releases
https://github.com/libtom/libtommath/releases
[4]
https://packages.debian.org/sid/dropbear
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#24674; Package
guix.
(Fri, 18 Dec 2020 20:04:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 24674 <at> debbugs.gnu.org (full text, mbox):
Hi,
On Wed, 12 Oct 2016 at 11:15, Leo Famulari <leo <at> famulari.name> wrote:
> Our Dropbear package bundles the libraries libtommath and libtomcrypt
> [0], and their bundled changelogs imply that they date from 2006.
Since the package still contains the comment:
--8<---------------cut here---------------start------------->8---
(arguments `(#:tests? #f)) ; there is no "make check" or anything similar
;; TODO: Investigate unbundling libtommath and libtomcrypt or at least
;; cherry-picking important bug fixes from them. See <bugs.gnu.org/24674>
;; for more information.
--8<---------------cut here---------------end--------------->8---
with the last update 2020-10-29, I propose to mark it as ’severe’ and
put it in the list of bugs which should be fixed for the next (or
next-next) release. WDYT?
All the best,
simon
Information forwarded
to
bug-guix <at> gnu.org:
bug#24674; Package
guix.
(Fri, 18 Dec 2020 21:30:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 24674 <at> debbugs.gnu.org (full text, mbox):
On Fri, Dec 18, 2020 at 08:53:23PM +0100, zimoun wrote:
> with the last update 2020-10-29, I propose to mark it as ’severe’ and
> put it in the list of bugs which should be fixed for the next (or
> next-next) release. WDYT?
Dropbear 2020.79 includes this text in the CHANGES file:
------
- Upgrade libtomcrypt to 1.18.2 and libtommath to 1.2.0, many thanks to Steffen Jaeckel for
updating Dropbear to use the current API. Dropbear's configure script will check
for sufficient system library versions, otherwise using the bundled versions.
------
And in 2020.80:
------
- Improve checking libtomcrypt version compatibility
------
So, it might be possible now to use "system" copies of these libraries.
Previously, I couldn't figure out how to do it work or if Dropbear would
continue to work correctly.
We have a package of libtommath 1.2.0.
TODO:
1) Package libtomcrypt 1.18.2
2) Try building Dropbear with libtommath and libtomcrypt Guix packages
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Sat, 19 Dec 2020 06:41:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Sat, 19 Dec 2020 06:41:01 GMT)
Full text and
rfc822 format available.
Message #16 received at 24674-done <at> debbugs.gnu.org (full text, mbox):
On Fri, Dec 18, 2020 at 04:29:37PM -0500, Leo Famulari wrote:
> TODO:
> 1) Package libtomcrypt 1.18.2
> 2) Try building Dropbear with libtommath and libtomcrypt Guix packages
Packaging libtomcrypt is easy, but building Dropbear without using the
bundled libtom libraries is still not that simple. I tried building
Dropbear with "--disable-bundled-libtom" but the build scripts don't
automatically find the shared libraries.
My primary motivation for filing this bug was the risk of serious bugs
in the old copies of the libtom libraries.
Since Dropbear has upgraded their copies, makes enough modifications
that they think it's worth forking, and because using the external
libraries is complicated, I'm closing this bug as-is. But I'm also
leaving the comment in the Dropbear package definition.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 16 Jan 2021 12:24:07 GMT)
Full text and
rfc822 format available.
This bug report was last modified 4 years and 155 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.