GNU bug report logs - #30448
Update librsync to 2.0.1

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Tue, 13 Feb 2018 19:02:01 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Leo Famulari <leo <at> famulari.name>
Subject: bug#30448: closed (Re: Breaking rdiff-backup and btar (was Re:
 [bug#30448] Update librsync to 2.0.1))
Date: Wed, 13 Feb 2019 00:01:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#30448: Update librsync to 2.0.1

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 30448 <at> debbugs.gnu.org.

-- 
30448: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=30448
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name>
Cc: 30448-done <at> debbugs.gnu.org
Subject: Re: Breaking rdiff-backup and btar (was Re: [bug#30448] Update
 librsync to 2.0.1)
Date: Tue, 12 Feb 2019 19:00:35 -0500

[Message part 3 (text/plain, inline)]
On Wed, Apr 25, 2018 at 01:23:33PM -0400, Leo Famulari wrote:
> Btw, the affected packages (btar, rdiff-backup, and duplicity) are the
> only users of librsync in Guix. So I think there is no reason to
> update librsync for now.

Closing this bug ticket...

[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: Update librsync to 2.0.1
Date: Tue, 13 Feb 2018 14:01:13 -0500

[Message part 6 (text/plain, inline)]
librsync 2.0.1 is available at a new upstream URL:

https://github.com/librsync/librsync/releases

Patch attached.

This would also include the fix for CVE-2014-8242, which is about use of
a cryptographically broken hash function (truncated MD4), released in
librsync 1.0.0.

However, at least btar and rdiff-backup aren't compatible with this new
version of librsync (I'm still building deja-dup to test its
compatibility).

Additionally, I noticed that the built package doesn't keep any
references to bzip2 or zlib, which seems wrong to me.

Is anyone using one of the dependent packages interested in looking more
closely at this?

[0001-gnu-librsync-Update-to-2.0.1.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 6 years and 86 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.