Ubuntu
libcbor package

FFe: update to 0.6.0 (MIR requirement)

Bug #1868609 reported by Andreas Hasenack
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libcbor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

libcbor is a dependency of libfido2, which is being MIRed in bug #1864439. As such, libcbor was added to the same MIR.

The libcbor MIR was accepted on two conditions:
a) it's updated to 0.6.0[1]
b) its test suite is run at build time[2]

Both of these conditions are met in my linked MP[3]. The most important packaging changes are:
- test suite is run at package build time
- upstream changed the soname in 0.6.0 (ok so far), but in an overzelous way (it made the full 0.6.0 version part of the soname). I talked with upstream and they suggested a patch to make 0.6 part of the soname only. That patch I applied in our package, and had to rename the binary library package to libcbor0.6 (from libcbor0). See the MP[3] for details and links to the conversation with upstream;
- I fixed a ton of lintian issues. Current lintian -I --pedantic output is just:
I: libcbor source: testsuite-autopkgtest-missing
P: libcbor source: file-contains-trailing-whitespace debian/changelog (line 44)

The upstream release notes for each version are at [4]. Our update is from 0.5.0 in focal to 0.6.0 with the above changes. The security team was interested in all the fixes announced in 0.6.0.

One potential issue here is that ubuntu will be shipping a 0.6.0 package which produces a 0.6 version in the soname, whereas the exact same upstream versions uses 0.6.0 in the soname. I asked upstream if they preferred to make a new release. On one hand, upstream agreed[5], but at the same time didn't seem too worried[6]. You, dear release team member reviewer, are welcomed to chime in with what you think should be done :)

PPA with builds: https://launchpad.net/~ahasenack/+archive/ubuntu/openssh-fido/

The only reverse dependency of libcbor is libfido2-1 and libcbor itself in the form of the -dev package.

1. https://bugs.launchpad.net/ubuntu/+source/libfido2/+bug/1864439/comments/7
2. https://bugs.launchpad.net/ubuntu/+source/libfido2/+bug/1864439/comments/9
3. https://code.launchpad.net/~ahasenack/ubuntu/+source/libcbor/+git/libcbor/+merge/381060
4. https://github.com/PJK/libcbor/releases
5. https://github.com/PJK/libcbor/pull/131#issuecomment-602855102
6. https://github.com/PJK/libcbor/issues/52#issuecomment-602864168

See original description

Related branches

~ahasenack/ubuntu/+source/libcbor:focal-libcbor-mir-effort
Christian Ehrhardt  (community): Approve
Canonical Server: Pending requested
Diff: 19287 lines (+7398/-7161)
113 files modified
.clang-format (+151/-0)
.gitignore (+1/-0)
.travis.yml (+46/-43)
CHANGELOG.md (+25/-6)
CMakeLists.txt (+16/-11)
CMakeModules/FindCMocka.cmake (+49/-0)
Doxyfile (+5/-5)
README.md (+64/-1)
clang-format.sh (+17/-0)
debian/changelog (+31/-0)
debian/control (+7/-5)
debian/copyright (+22/-18)
debian/libcbor0.6.symbols (+3/-1)
debian/patches/clarify-soname-versioning.patch (+45/-0)
debian/patches/series (+2/-0)
debian/patches/skip-custom-allocator-test.patch (+19/-0)
debian/rules (+4/-0)
debian/watch (+2/-4)
demo/hello_cbor.c (+2/-3)
dev/null (+0/-245)
doc/source/api/item_reference_counting.rst (+7/-7)
doc/source/api/type_0_1.rst (+1/-1)
doc/source/api/type_6.rst (+1/-1)
doc/source/api/type_7.rst (+1/-3)
doc/source/conf.py (+18/-15)
doc/source/development.rst (+94/-2)
doc/source/getting_started.rst (+2/-1)
doc/source/internal.rst (+12/-10)
doc/source/requirements.txt (+39/-1)
doc/source/rfc_conformance.rst (+1/-1)
examples/cjson2cbor.c (+121/-130)
examples/create_items.c (+22/-23)
examples/hello.c (+7/-8)
examples/readfile.c (+58/-63)
examples/sort.c (+21/-24)
examples/streaming_parser.c (+35/-42)
misc/hooks/pre-commit (+11/-7)
oss-fuzz/build.sh (+28/-0)
oss-fuzz/cbor_load_fuzzer.cc (+37/-0)
refresh_templates.sh (+3/-1)
release.sh (+2/-16)
src/CMakeLists.txt (+3/-3)
src/allocators.c (+6/-6)
src/cbor.c (+314/-358)
src/cbor.h (+14/-15)
src/cbor/arrays.c (+105/-127)
src/cbor/arrays.h (+17/-16)
src/cbor/bytestrings.c (+87/-88)
src/cbor/bytestrings.h (+24/-18)
src/cbor/callbacks.c (+73/-61)
src/cbor/callbacks.h (+68/-69)
src/cbor/common.c (+133/-161)
src/cbor/common.h (+95/-64)
src/cbor/data.h (+112/-92)
src/cbor/encoding.c (+127/-121)
src/cbor/encoding.h (+12/-12)
src/cbor/floats_ctrls.c (+151/-159)
src/cbor/floats_ctrls.h (+41/-40)
src/cbor/internal/builder_callbacks.c (+311/-293)
src/cbor/internal/builder_callbacks.h (+9/-9)
src/cbor/internal/encoders.c (+69/-83)
src/cbor/internal/encoders.h (+12/-8)
src/cbor/internal/loaders.c (+50/-69)
src/cbor/internal/loaders.h (+2/-2)
src/cbor/internal/memory_utils.c (+25/-27)
src/cbor/internal/memory_utils.h (+10/-8)
src/cbor/internal/stack.c (+18/-19)
src/cbor/internal/stack.h (+9/-8)
src/cbor/internal/unicode.c (+68/-43)
src/cbor/internal/unicode.h (+7/-9)
src/cbor/ints.c (+161/-177)
src/cbor/ints.h (+30/-24)
src/cbor/maps.c (+97/-113)
src/cbor/maps.h (+16/-12)
src/cbor/serialization.c (+236/-237)
src/cbor/serialization.h (+18/-15)
src/cbor/streaming.c (+653/-670)
src/cbor/streaming.h (+8/-10)
src/cbor/strings.c (+99/-99)
src/cbor/strings.h (+25/-18)
src/cbor/tags.c (+26/-28)
src/cbor/tags.h (+9/-8)
test/CMakeLists.txt (+8/-1)
test/assertions.c (+29/-25)
test/assertions.h (+11/-6)
test/bad_inputs_test.c (+75/-64)
test/callbacks_test.c (+23/-19)
test/cbor_serialize_test.c (+243/-253)
test/cbor_stream_decode_test.c (+521/-663)
test/copy_test.c (+163/-207)
test/cpp_linkage_test.cpp (+2/-6)
test/fuzz_test.c (+46/-60)
test/memory_allocation_test.c (+282/-0)
test/pretty_printer_test.c (+25/-24)
test/stream_expectations.c (+254/-306)
test/stream_expectations.h (+56/-54)
test/type_0_encoders_test.c (+48/-50)
test/type_0_test.c (+107/-120)
test/type_1_encoders_test.c (+49/-50)
test/type_1_test.c (+72/-83)
test/type_2_encoders_test.c (+21/-26)
test/type_2_test.c (+269/-250)
test/type_3_encoders_test.c (+21/-26)
test/type_3_test.c (+178/-176)
test/type_4_encoders_test.c (+33/-39)
test/type_4_test.c (+94/-103)
test/type_5_encoders_test.c (+20/-26)
test/type_5_test.c (+141/-158)
test/type_6_encoders_test.c (+17/-20)
test/type_6_test.c (+57/-72)
test/type_7_encoders_test.c (+66/-77)
test/type_7_test.c (+68/-78)
test/unicode_test.c (+17/-22)
Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I mistakenly uploaded right after the MP was approved, and forgot to wait for this FFe to be approved as well. Apologies.

"Thankfully" there is a NEW binary due to the soname change, so this won't hit proposed before that is sorted.

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Ok, so I'm generally +1 on this FFe, though the meddling with the soname does worry me a bit. Ideally it would be if upstream could release a 0.6.1 that we'd just pull in as a whole, without carrying some weird delta. Good thing that this doesn't have many build dependencies besides libfido, which we already handle via the MIR anyway - since those big upstream jumps are very risky usually, especially with soname bumps.

Anyway, I'd say let's get this done. But as said, I'd prefer a 0.6.1 pulled in, though I won't block on that.

Changed in libcbor (Ubuntu):
status: New → Triaged
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks. I subscribed to all upstream activities on this.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I nudged upstream suggesting a 0.6.1 release with this change would be great. Let's see.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Upstream released 0.6.1 with the soname changes we incorporated, and clarified how it will be from now on:

https://github.com/PJK/libcbor/releases/tag/v0.6.1

While checking the actual diff, though, looks like more was changed. I asked for clarification in https://github.com/PJK/libcbor/pull/131#issuecomment-604988996

For the moment we are better off with the package I uploaded.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libcbor - 0.6.0-0ubuntu1

---------------
libcbor (0.6.0-0ubuntu1) focal; urgency=medium

  * New upstream version 0.6.0 (LP: #1868609):
    - no need for dfsg since docs/doxygen is no longer shipped
  * d/rules: override auto_configure to enable tests and set the build
    type to "Release" as shown in the upstream build instructions.
  * d/p/skip-custom-allocator-test.patch: skip custom allocator test if
    CBOR_CUSTOM_ALLOC is undefined
  * d/rules: add hardening=+all
  * Fix soname versioning:
    - d/p/clarify-soname-versioning.patch: adjust soname versioning to
      match expectations $MAJOR.$MINOR.$PATCH
    - d/control: rename binary package to match soname 0.6
    - d/control: fix -dev dependency towards its binary lib
    - d/libcbor0.6.install, d/libcbor0.6.symbols: rename to match new soname
    - d/libcbor0.6.symbols: symbols update, add B-D-P field
  * d/libcbor-doc.examples: rename so examples are installed
  * d/control: bump debhelper to 12
  * d/copyright lintian fixes:
    - d/copyright: change url to https
    - d/copyright: remove Files-Excluded since that directory is not
      shipped in the 0.6.0 upstream tarball.
    - d/copyright: removed entry about docs/stylesheets/github-light.css
      as this isn't shipped anymore in the upstream tarball.
  * d/control: set R3 to no
  * d/copyright: add new paragraph for new files in 0.6.0
  * d/control: bump standards-version to 4.5.0 (no changes required)
  * d/watch: remove dfsg mangling

 -- Andreas Hasenack <email address hidden> Wed, 25 Mar 2020 19:22:25 +0000

Changed in libcbor (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.