From unknown Sun Jun 22 08:03:17 2025 X-Loop: help-debbugs@gnu.org Subject: bug#24674: Dropbear bundled libraries Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 12 Oct 2016 15:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 24674 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 24674@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.147628532631160 (code B ref -1); Wed, 12 Oct 2016 15:16:02 +0000 Received: (at submit) by debbugs.gnu.org; 12 Oct 2016 15:15:26 +0000 Received: from localhost ([127.0.0.1]:53187 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1buLFe-00086W-4f for submit@debbugs.gnu.org; Wed, 12 Oct 2016 11:15:26 -0400 Received: from eggs.gnu.org ([208.118.235.92]:60208) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1buLFc-00086J-It for submit@debbugs.gnu.org; Wed, 12 Oct 2016 11:15:25 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1buLFW-0002QD-34 for submit@debbugs.gnu.org; Wed, 12 Oct 2016 11:15:19 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:44678) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buLFV-0002Q3-Tf for submit@debbugs.gnu.org; Wed, 12 Oct 2016 11:15:18 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51176) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buLFT-0003rD-Iw for bug-guix@gnu.org; Wed, 12 Oct 2016 11:15:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1buLFO-0002Oc-IG for bug-guix@gnu.org; Wed, 12 Oct 2016 11:15:15 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:35196) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buLFN-0002Kv-8d for bug-guix@gnu.org; Wed, 12 Oct 2016 11:15:10 -0400 Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 71892209C1; Wed, 12 Oct 2016 11:15:05 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute7.internal (MEProxy); Wed, 12 Oct 2016 11:15:05 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= content-type:date:from:message-id:mime-version:subject:to :x-sasl-enc:x-sasl-enc; s=mesmtp; bh=uBdK6+CsGzE5l99qOjvqbV7NXLc =; b=g1BlzwvAOV/nSYSFhCoRIYilD4Ig3ZwgeBQ/7ohfOB1dtNRqQKt2uhPJ579 CJq1ARWDSfjzm3ndMGLg8XkUAJApVvuBvKb3/jxo9hjoFbqxPiSJnK94etapgB3V r0BBEIISKMy5xs+6I/y6qzJaweN/5yoSvpQen15uw+3bP3BM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=uB dK6+CsGzE5l99qOjvqbV7NXLc=; b=a03pVp0IkQsuglWWCRNgbJ6Vv/IE/3dBD/ R+HpZKpFhS17C7l4k0MZ/pqJhiW8g4P7Yx22TLa3Dt8lkoKgztjoGCSiHIOGHpEf F9binHH2SjwTjmnJbaGKc03oIIjog7X0WcpkRuWFtRKcStDxyz5akAAYwV3+Z5Lg UFk+7deNI= X-Sasl-enc: RVM7P3IFyVEUoAiijWo8gbFtH1nKypbQQGhz+N1gGshj 1476285305 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 14D6AF29D1 for ; Wed, 12 Oct 2016 11:15:05 -0400 (EDT) Date: Wed, 12 Oct 2016 11:15:03 -0400 From: Leo Famulari Message-ID: <20161012151503.GA22149@jasmine> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA" Content-Disposition: inline User-Agent: Mutt/1.7.0 (2016-08-17) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Our Dropbear package bundles the libraries libtommath and libtomcrypt [0], and their bundled changelogs imply that they date from 2006. The Dropbear CHANGES [1] file shows that some attempt has been made to cherry-pick some bug fixes. It also looks like Dropbear has made their own changes to the bundled libraries. Apparently it is possible to build against non-bundled libraries [2]. Both libraries have had new releases in the last ten years [3]. It appears that Debian does use the bundled libraries [4]. In July, I asked Matt Johnston, the Dropbear author, how far the bundled copies had diverged from upstream and if it was safe to unbundle them, but I didn't get a response. [0] https://github.com/libtom https://github.com/mkj/dropbear/tree/master/libtomcrypt https://github.com/mkj/dropbear/tree/master/libtommath [1] https://github.com/mkj/dropbear/blob/master/CHANGES#L481 [2] https://github.com/mkj/dropbear/blob/master/CHANGES#L532 "- Attempt to build against system libtomcrypt/libtommath if available. This can be disabled with ./configure --enable-bundled-libtom" [3] https://github.com/libtom/libtomcrypt/releases https://github.com/libtom/libtommath/releases [4] https://packages.debian.org/sid/dropbear --AqsLC8rIMeq19msA Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJX/lN3AAoJECZG+jC6yn8IvvsQAK/VFIzM1ho2EWMIZmPnMlBJ OKS0mY+Yuucwin+kMtKuw0IP8Rmf889LMP4vNbs9uT+3GtKuH/0FwoLBZb4yNUAv AFwB/upPsKrL6wCY/FNpO51yjWtWb0hCPzmqHNQk2MWJc+D/zlySkip4K5hLGeV3 YiBR5iWfsdOSyqvM4GKR6HIMuYa8qAGVsaHwW/sGi5UXeYFYNs+thOYr5soSY/nw QXcoHHjC+mlt6QA3ut2PHMH2PHv2o7LzXNIoMUOQsW4TnXeoqh2Y8NPNs1uezV+4 FgP21G8xSwjVSySGuYPbqIEGUsPaUrVeXd8xbZ+71HVIIXoKFttXj6jO/bpzloqZ +6m+k/uHz+WfSQYOFMilOokhxzf76Kik8lLZdppd0r/vaM/LPsbea+B8EZTdP5ZJ Wpu2JZPRIFraloAfe3xZ3O+n+UzNvzi3X3aC+J0wVrKPleRECpLWtjOBq+G/hKoh 5tD4fYLRsNtNe9sCKcaMyEj2wy0VLqFCbIFaI62d9Wcj/mq6LcjiSgO5cHKnSeEh gOjlYAoUH4cbC8bTRBQblfT2WeFsCyfewL67t5kWPwRt1GPMkct7U3ebQ7ruj94Z yXuzHbecdx43QKZHEqxrT4ICuchAXv94rVr6i8JrYWRH9RXRAi2WhbDahljfH7cW x7+wVZq+SRyluow3O/Aw =X/IN -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA-- From unknown Sun Jun 22 08:03:17 2025 X-Loop: help-debbugs@gnu.org Subject: bug#24674: Dropbear bundled libraries Resent-From: zimoun Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 18 Dec 2020 20:04:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 24674 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Leo Famulari Cc: 24674@debbugs.gnu.org Received: via spool by 24674-submit@debbugs.gnu.org id=B24674.160832178211247 (code B ref 24674); Fri, 18 Dec 2020 20:04:02 +0000 Received: (at 24674) by debbugs.gnu.org; 18 Dec 2020 20:03:02 +0000 Received: from localhost ([127.0.0.1]:40040 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kqLxn-0002uz-OJ for submit@debbugs.gnu.org; Fri, 18 Dec 2020 15:03:02 -0500 Received: from mail-wr1-f45.google.com ([209.85.221.45]:33335) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kqLxi-0002uN-0l for 24674@debbugs.gnu.org; Fri, 18 Dec 2020 15:02:52 -0500 Received: by mail-wr1-f45.google.com with SMTP id t30so3600735wrb.0 for <24674@debbugs.gnu.org>; Fri, 18 Dec 2020 12:02:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=iU1iTh0mUIVCrRCJYaTmMKSAretpg/J59A5Uc6G86Rg=; b=kfnfVWew4pqWOKubCvn4TE2eFO3AnEST2he87MGA3YJNb4V4pVhv4ZMJuYD6iQDflD 2QRsrygxX5n3YivKqb1EqosUWUh/YUVvTfFaUtz3XNbAQAJ6/T3w5NT3vDgU5B4IGe6d OM2HP1uavTZM1JNmSnR3Pzd3yGzPRk8BWjJScD4YnF0ff3kV7AXCLOH/7P4ll19c4uoc qETnkurttXkxnqKP+k7NFSw7J8aNApcBrnbNemeMLum00aXcZWbHK6jPadIdQVzelfHY uWXRI2GUKpcZwNfzX1yEIROSoN4trs3XDnBwyqlGDSiGVYZGX9VPYXkiDl1uIcN91UTY Wwfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=iU1iTh0mUIVCrRCJYaTmMKSAretpg/J59A5Uc6G86Rg=; b=K5mrVA9pdRnRWwEAhlvQpW24FkhBWTCzjiaoqhhDJJxI8Owilx/cLid4BuPmoX9bng ipowlcTzNQp1qNwMUhdwHNwXcTp5EmriLO2U7hYb3ma2pZlRAQUv0H3ROsj7tUOYdtob uJQ+/0PjZfQ4Y4vc70oeBag/D/vtk8k+6/InVhWFwHVRaX0E5Mupbnd7gZoZzDfLEOsm bcb1gbw9CxYYvf6pl+nzRek9fkCCKaxP7tTv+ZQkfysu2+41aqLJCX/e6vbDyxeA4J7g 3w4lJEmhNgsZHCyL62lGh+GFRgBnsjEiB+et4ljrSp0U/5j082xPtFWXV0ELzm8RhqL1 X7BA== X-Gm-Message-State: AOAM533bdG3JUe+C2INYfIfAe0cVmrEWkuIIfZMvxELVCU2U+3lxBqKi IArd8dbwLV9JFoPJrT6zNEnKJE80y4s= X-Google-Smtp-Source: ABdhPJxWjCY5bx5dU6g5npYNx3lOoajXpzSkw/lq+QHSf6+J9MMrCfK7FbKhJnnB/nFZAeqjt1TESg== X-Received: by 2002:adf:9e4d:: with SMTP id v13mr6067568wre.135.1608321763977; Fri, 18 Dec 2020 12:02:43 -0800 (PST) Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e]) by smtp.gmail.com with ESMTPSA id o17sm15362101wrg.32.2020.12.18.12.02.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 18 Dec 2020 12:02:43 -0800 (PST) From: zimoun References: <20161012151503.GA22149@jasmine> Date: Fri, 18 Dec 2020 20:53:23 +0100 In-Reply-To: <20161012151503.GA22149@jasmine> (Leo Famulari's message of "Wed, 12 Oct 2016 11:15:03 -0400") Message-ID: <86tusivqks.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, On Wed, 12 Oct 2016 at 11:15, Leo Famulari wrote: > Our Dropbear package bundles the libraries libtommath and libtomcrypt > [0], and their bundled changelogs imply that they date from 2006. Since the package still contains the comment: --8<---------------cut here---------------start------------->8--- (arguments `(#:tests? #f)) ; there is no "make check" or anything simi= lar ;; TODO: Investigate unbundling libtommath and libtomcrypt or at least ;; cherry-picking important bug fixes from them. See ;; for more information. --8<---------------cut here---------------end--------------->8--- with the last update 2020-10-29, I propose to mark it as =E2=80=99severe=E2= =80=99 and put it in the list of bugs which should be fixed for the next (or next-next) release. WDYT? All the best, simon From unknown Sun Jun 22 08:03:17 2025 X-Loop: help-debbugs@gnu.org Subject: bug#24674: Dropbear bundled libraries Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 18 Dec 2020 21:30:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 24674 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: zimoun Cc: 24674@debbugs.gnu.org Received: via spool by 24674-submit@debbugs.gnu.org id=B24674.160832698827846 (code B ref 24674); Fri, 18 Dec 2020 21:30:02 +0000 Received: (at 24674) by debbugs.gnu.org; 18 Dec 2020 21:29:48 +0000 Received: from localhost ([127.0.0.1]:40172 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kqNJs-0007F3-1E for submit@debbugs.gnu.org; Fri, 18 Dec 2020 16:29:48 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:52433) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kqNJq-0007Eo-JJ for 24674@debbugs.gnu.org; Fri, 18 Dec 2020 16:29:47 -0500 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 723FA5C017E; Fri, 18 Dec 2020 16:29:40 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Fri, 18 Dec 2020 16:29:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-transfer-encoding:in-reply-to; s=mesmtp; bh=MAR2JBCtUtxlBe0Mf2gSlGTUpv4x+mcKOg+MS0ahNOY=; b=MB7A6xuXnBJq JKLvVdFtmRmhENZAdCMxNYwR2zgs5lzPAkQstU1J0ZvZw9L1Obpr07vbo4qFrBxf 6zRnUkI/VLOzmn0VoixiroscxYUvjLr1JsywWgHd525ONPl86UyhlmsrMb1sPX8x nvZJbCxjluMGyNFmqsjKwbyhGeD40yw= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=MAR2JBCtUtxlBe0Mf2gSlGTUpv4x+mcKOg+MS0ahN OY=; b=OAVfQ7ZKITPGalar8E4O5HfFZWsggGImesKcTBwn2jfnTqxn4c3yVCUv4 ghPJoAlwbSgixOffvgoSkOXiBnveg6z6PkvpGbBgku0mBEYYDqlnjUvTbXautlRj +xJkv2Gn7psbmp8m7ME6zLLmn9vbZlwwkCu6iWjVG270f5qj1dNfQraCDrCQD52/ rPxl0hG1yEcvjUzhclctTh5wMa0tETBOTTZICVBacn6ICskrYoPTcJbU1IbSvqmP NJxLj30k5CD6fWD57C9++DS5PaJ5SLiShWvcKUwhO7GExv5o8C++g03iChiTBnBh LIxtVwRbviR/aVJTQeMrWPkPnL7aA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudeliedgudehudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtugfgjgesth ekredttddtjeenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhu lhgrrhhirdhnrghmvgeqnecuggftrfgrthhtvghrnhepgeejgeeghedtudfgffdutddvff efffejkeffffevffehgedvvdeutdffkeejjeejnecukfhppeejfedrudeguddruddvjedr udegieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe hlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (c-73-141-127-146.hsd1.pa.comcast.net [73.141.127.146]) by mail.messagingengine.com (Postfix) with ESMTPA id DE1B71080059; Fri, 18 Dec 2020 16:29:39 -0500 (EST) Date: Fri, 18 Dec 2020 16:29:37 -0500 From: Leo Famulari Message-ID: References: <20161012151503.GA22149@jasmine> <86tusivqks.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86tusivqks.fsf@gmail.com> X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Fri, Dec 18, 2020 at 08:53:23PM +0100, zimoun wrote: > with the last update 2020-10-29, I propose to mark it as ’severe’ and > put it in the list of bugs which should be fixed for the next (or > next-next) release. WDYT? Dropbear 2020.79 includes this text in the CHANGES file: ------ - Upgrade libtomcrypt to 1.18.2 and libtommath to 1.2.0, many thanks to Steffen Jaeckel for updating Dropbear to use the current API. Dropbear's configure script will check for sufficient system library versions, otherwise using the bundled versions. ------ And in 2020.80: ------ - Improve checking libtomcrypt version compatibility ------ So, it might be possible now to use "system" copies of these libraries. Previously, I couldn't figure out how to do it work or if Dropbear would continue to work correctly. We have a package of libtommath 1.2.0. TODO: 1) Package libtomcrypt 1.18.2 2) Try building Dropbear with libtommath and libtomcrypt Guix packages From unknown Sun Jun 22 08:03:17 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Leo Famulari Subject: bug#24674: closed (Re: bug#24674: Dropbear bundled libraries) Message-ID: References: <20161012151503.GA22149@jasmine> X-Gnu-PR-Message: they-closed 24674 X-Gnu-PR-Package: guix Reply-To: 24674@debbugs.gnu.org Date: Sat, 19 Dec 2020 06:41:01 +0000 Content-Type: multipart/mixed; boundary="----------=_1608360061-8863-1" This is a multi-part message in MIME format... ------------=_1608360061-8863-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #24674: Dropbear bundled libraries which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 24674@debbugs.gnu.org. --=20 24674: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D24674 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1608360061-8863-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 24674-done) by debbugs.gnu.org; 19 Dec 2020 06:40:56 +0000 Received: from localhost ([127.0.0.1]:40723 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kqVvD-0002IZ-Vv for submit@debbugs.gnu.org; Sat, 19 Dec 2020 01:40:56 -0500 Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:50521) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kqVvC-0002IM-Lb for 24674-done@debbugs.gnu.org; Sat, 19 Dec 2020 01:40:55 -0500 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id A027A760; Sat, 19 Dec 2020 01:40:48 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Sat, 19 Dec 2020 01:40:48 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=CHtN6UeyDWnnkkn/jBOvsimZ NaPabs48Mi0Dpzd5crE=; b=qjV1G131m4hfiTU1j5/YQxkwDXy25WWpkZ3XkRaX L3WolHx8iZihSEcQ2L/n3Xrlb33VLSSe6Illx7xho5VMQxj1D1XGquBWOEMToKKS B2zdzUbEQCyma/Z2bxC0ZQtIfrlJPEuouMscNmcUOI3CAF12jVbO12JzisfQDTDU Ftc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=CHtN6U eyDWnnkkn/jBOvsimZNaPabs48Mi0Dpzd5crE=; b=DsBR4Y6tW0VD+ya//33K+7 B7xo/3tEMigAQCaPsAkKD2T275VL5IPqeyHwgkLlYt8g0ZqhO5OIFtInU61MqAN2 iInWGEqnf7d9T9frzk2ZAQ3uaRmy56Uta/MWup10sahEVpekOBeILrgu7mK+WJgC kbjoLx592NXwzDXCt2aQwpZwUkekFM0tT8KGC/zB0mdf2S470swfimECfkPODvWE HtdU5rexhtyEDoVO8QIKSqUw0BIbaeW3X3bu4/qmBeAh9CnSdjSTjotWdVL3WVkI HArOnjguksz1rkR84Q1EQ/f8csqu5CgFswjllnLm7MmJOMEavNd4MgPW7icdMiaw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudeljedgleegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesthdtre dttddtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgr rhhirdhnrghmvgeqnecuggftrfgrthhtvghrnhepueekkedtffdvtddugeejgedtvefhue efiedvjeeitdeigedtveejvdejheffvefgnecukfhppeejfedrudeguddruddvjedrudeg ieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvg hosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (c-73-141-127-146.hsd1.pa.comcast.net [73.141.127.146]) by mail.messagingengine.com (Postfix) with ESMTPA id DB39F24005B; Sat, 19 Dec 2020 01:40:47 -0500 (EST) Date: Sat, 19 Dec 2020 01:40:46 -0500 From: Leo Famulari To: zimoun Subject: Re: bug#24674: Dropbear bundled libraries Message-ID: References: <20161012151503.GA22149@jasmine> <86tusivqks.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 24674-done Cc: 24674-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Fri, Dec 18, 2020 at 04:29:37PM -0500, Leo Famulari wrote: > TODO: > 1) Package libtomcrypt 1.18.2 > 2) Try building Dropbear with libtommath and libtomcrypt Guix packages Packaging libtomcrypt is easy, but building Dropbear without using the bundled libtom libraries is still not that simple. I tried building Dropbear with "--disable-bundled-libtom" but the build scripts don't automatically find the shared libraries. My primary motivation for filing this bug was the risk of serious bugs in the old copies of the libtom libraries. Since Dropbear has upgraded their copies, makes enough modifications that they think it's worth forking, and because using the external libraries is complicated, I'm closing this bug as-is. But I'm also leaving the comment in the Dropbear package definition. ------------=_1608360061-8863-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 12 Oct 2016 15:15:26 +0000 Received: from localhost ([127.0.0.1]:53187 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1buLFe-00086W-4f for submit@debbugs.gnu.org; Wed, 12 Oct 2016 11:15:26 -0400 Received: from eggs.gnu.org ([208.118.235.92]:60208) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1buLFc-00086J-It for submit@debbugs.gnu.org; Wed, 12 Oct 2016 11:15:25 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1buLFW-0002QD-34 for submit@debbugs.gnu.org; Wed, 12 Oct 2016 11:15:19 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:44678) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buLFV-0002Q3-Tf for submit@debbugs.gnu.org; Wed, 12 Oct 2016 11:15:18 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51176) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buLFT-0003rD-Iw for bug-guix@gnu.org; Wed, 12 Oct 2016 11:15:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1buLFO-0002Oc-IG for bug-guix@gnu.org; Wed, 12 Oct 2016 11:15:15 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:35196) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buLFN-0002Kv-8d for bug-guix@gnu.org; Wed, 12 Oct 2016 11:15:10 -0400 Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 71892209C1; Wed, 12 Oct 2016 11:15:05 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute7.internal (MEProxy); Wed, 12 Oct 2016 11:15:05 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= content-type:date:from:message-id:mime-version:subject:to :x-sasl-enc:x-sasl-enc; s=mesmtp; bh=uBdK6+CsGzE5l99qOjvqbV7NXLc =; b=g1BlzwvAOV/nSYSFhCoRIYilD4Ig3ZwgeBQ/7ohfOB1dtNRqQKt2uhPJ579 CJq1ARWDSfjzm3ndMGLg8XkUAJApVvuBvKb3/jxo9hjoFbqxPiSJnK94etapgB3V r0BBEIISKMy5xs+6I/y6qzJaweN/5yoSvpQen15uw+3bP3BM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=uB dK6+CsGzE5l99qOjvqbV7NXLc=; b=a03pVp0IkQsuglWWCRNgbJ6Vv/IE/3dBD/ R+HpZKpFhS17C7l4k0MZ/pqJhiW8g4P7Yx22TLa3Dt8lkoKgztjoGCSiHIOGHpEf F9binHH2SjwTjmnJbaGKc03oIIjog7X0WcpkRuWFtRKcStDxyz5akAAYwV3+Z5Lg UFk+7deNI= X-Sasl-enc: RVM7P3IFyVEUoAiijWo8gbFtH1nKypbQQGhz+N1gGshj 1476285305 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 14D6AF29D1 for ; Wed, 12 Oct 2016 11:15:05 -0400 (EDT) Date: Wed, 12 Oct 2016 11:15:03 -0400 From: Leo Famulari To: bug-guix@gnu.org Subject: Dropbear bundled libraries Message-ID: <20161012151503.GA22149@jasmine> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA" Content-Disposition: inline User-Agent: Mutt/1.7.0 (2016-08-17) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Our Dropbear package bundles the libraries libtommath and libtomcrypt [0], and their bundled changelogs imply that they date from 2006. The Dropbear CHANGES [1] file shows that some attempt has been made to cherry-pick some bug fixes. It also looks like Dropbear has made their own changes to the bundled libraries. Apparently it is possible to build against non-bundled libraries [2]. Both libraries have had new releases in the last ten years [3]. It appears that Debian does use the bundled libraries [4]. In July, I asked Matt Johnston, the Dropbear author, how far the bundled copies had diverged from upstream and if it was safe to unbundle them, but I didn't get a response. [0] https://github.com/libtom https://github.com/mkj/dropbear/tree/master/libtomcrypt https://github.com/mkj/dropbear/tree/master/libtommath [1] https://github.com/mkj/dropbear/blob/master/CHANGES#L481 [2] https://github.com/mkj/dropbear/blob/master/CHANGES#L532 "- Attempt to build against system libtomcrypt/libtommath if available. This can be disabled with ./configure --enable-bundled-libtom" [3] https://github.com/libtom/libtomcrypt/releases https://github.com/libtom/libtommath/releases [4] https://packages.debian.org/sid/dropbear --AqsLC8rIMeq19msA Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJX/lN3AAoJECZG+jC6yn8IvvsQAK/VFIzM1ho2EWMIZmPnMlBJ OKS0mY+Yuucwin+kMtKuw0IP8Rmf889LMP4vNbs9uT+3GtKuH/0FwoLBZb4yNUAv AFwB/upPsKrL6wCY/FNpO51yjWtWb0hCPzmqHNQk2MWJc+D/zlySkip4K5hLGeV3 YiBR5iWfsdOSyqvM4GKR6HIMuYa8qAGVsaHwW/sGi5UXeYFYNs+thOYr5soSY/nw QXcoHHjC+mlt6QA3ut2PHMH2PHv2o7LzXNIoMUOQsW4TnXeoqh2Y8NPNs1uezV+4 FgP21G8xSwjVSySGuYPbqIEGUsPaUrVeXd8xbZ+71HVIIXoKFttXj6jO/bpzloqZ +6m+k/uHz+WfSQYOFMilOokhxzf76Kik8lLZdppd0r/vaM/LPsbea+B8EZTdP5ZJ Wpu2JZPRIFraloAfe3xZ3O+n+UzNvzi3X3aC+J0wVrKPleRECpLWtjOBq+G/hKoh 5tD4fYLRsNtNe9sCKcaMyEj2wy0VLqFCbIFaI62d9Wcj/mq6LcjiSgO5cHKnSeEh gOjlYAoUH4cbC8bTRBQblfT2WeFsCyfewL67t5kWPwRt1GPMkct7U3ebQ7ruj94Z yXuzHbecdx43QKZHEqxrT4ICuchAXv94rVr6i8JrYWRH9RXRAi2WhbDahljfH7cW x7+wVZq+SRyluow3O/Aw =X/IN -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA-- ------------=_1608360061-8863-1--