| 2020-03-24 21:06:00 |
Andreas Hasenack |
description |
libcbor is a dependency of libfido2, which is being MIRed in bug #1864439. As such, libcbor was added to the same MIR.
The libcbor MIR was accepted on two conditions:
a) it's updated to 0.6.0[1]
b) its test suite is run at build time[2]
Both of these conditions are met in my linked MP[3]. The most important packaging changes are:
- test suite is run at package build time
- upstream changed the soname in 0.6.0 (ok so far), but in an overzelous way (it made the full 0.6.0 version part of the soname). I talked with upstream and they suggested a patch to make 0.6 part of the soname only. That patch I applied in our package, and had to rename the binary library package to libcbor0.6 (from libcbor0). See the MP[3] for details and links to the conversation with upstream;
- I fixed a ton of lintian issues. Current lintian -I --pedantic output is just:
I: libcbor source: testsuite-autopkgtest-missing
P: libcbor source: file-contains-trailing-whitespace debian/changelog (line 44)
The upstream release notes for each version are at [4]. Our update is from 0.5.0 in focal to 0.6.0 with the above changes. The security team was interested in all the fixes announced in 0.6.0.
PPA with builds: https://launchpad.net/~ahasenack/+archive/ubuntu/openssh-fido/
The only reverse dependency of libcbor is libfido2-1 and libcbor itself in the form of the -dev package.
1. https://bugs.launchpad.net/ubuntu/+source/libfido2/+bug/1864439/comments/7
2. https://bugs.launchpad.net/ubuntu/+source/libfido2/+bug/1864439/comments/9
3. https://code.launchpad.net/~ahasenack/ubuntu/+source/libcbor/+git/libcbor/+merge/381060
4. https://github.com/PJK/libcbor/releases |
libcbor is a dependency of libfido2, which is being MIRed in bug #1864439. As such, libcbor was added to the same MIR.
The libcbor MIR was accepted on two conditions:
a) it's updated to 0.6.0[1]
b) its test suite is run at build time[2]
Both of these conditions are met in my linked MP[3]. The most important packaging changes are:
- test suite is run at package build time
- upstream changed the soname in 0.6.0 (ok so far), but in an overzelous way (it made the full 0.6.0 version part of the soname). I talked with upstream and they suggested a patch to make 0.6 part of the soname only. That patch I applied in our package, and had to rename the binary library package to libcbor0.6 (from libcbor0). See the MP[3] for details and links to the conversation with upstream;
- I fixed a ton of lintian issues. Current lintian -I --pedantic output is just:
I: libcbor source: testsuite-autopkgtest-missing
P: libcbor source: file-contains-trailing-whitespace debian/changelog (line 44)
The upstream release notes for each version are at [4]. Our update is from 0.5.0 in focal to 0.6.0 with the above changes. The security team was interested in all the fixes announced in 0.6.0.
One potential issue here is that ubuntu will be shipping a 0.6.0 package which produces a 0.6 version in the soname, whereas the exact same upstream versions uses 0.6.0 in the soname. I asked upstream if they preferred to make a new release. On one hand, upstream agreed[5], but at the same time didn't seem too worried[6]. You, dear release team member reviewer, are welcomed to chime in with what you think should be done :)
PPA with builds: https://launchpad.net/~ahasenack/+archive/ubuntu/openssh-fido/
The only reverse dependency of libcbor is libfido2-1 and libcbor itself in the form of the -dev package.
1. https://bugs.launchpad.net/ubuntu/+source/libfido2/+bug/1864439/comments/7
2. https://bugs.launchpad.net/ubuntu/+source/libfido2/+bug/1864439/comments/9
3. https://code.launchpad.net/~ahasenack/ubuntu/+source/libcbor/+git/libcbor/+merge/381060
4. https://github.com/PJK/libcbor/releases
5. https://github.com/PJK/libcbor/pull/131#issuecomment-602855102
6. https://github.com/PJK/libcbor/issues/52#issuecomment-602864168 |
|
