Hey,
Due to a couple of CVEs I'll need to rebase botan2 in EPEL 8 to a slightly less ancient version (which also brings me to [0], about which I completely forgot after I took over the botan2 package, apologies for that). I tried to cherry-pick just the necessary patches, but there's a lot of conflicts/missing or moved files/etc. due to the version difference so, in my opinion, doing a rebase is a way safer option here (and it also makes future maintenance slightly less painful, since EPEL 8 will be with us for another almost five years).
I can't rebase to the latest 2.x version, since v2.19.2 drops support for the OpenSSL provider. I don't know if anyone uses it in EPEL 8, but I don't feel comfortable dropping it so far in EPEL 8's maintenance cycle. But from the maintenance point of view this is fine, since with v2.19.1 all necessary CVE patches (and other bugfixes I cherry-picked along the way) apply cleanly.
Since the rebase also bumps libbotan-2.so from libbotan-2.so.12.12.1 to libbotan-2.so.19.19.1, packages that depend on it will need to be rebuilt, namely:
$ dnf repoquery --enablerepo "epel*" --whatrequires "libbotan-2.so*" botan2-devel-0:2.12.1-4.el8.x86_64 corectrl-0:1.3.0-2.el8.x86_64 keepassxc-0:2.7.9-1.el8.x86_64 qca-qt5-botan-0:2.3.4-2.el8.x86_64
As I don't have provenpackage privileges, I created a side tag epel8-build-side-92634 with the rebased botan2 build (botan2-2.19.1-2.el8 ATTOW) and kindly ask the maintainers of the affected packages (CC'ed) to add their builds into it using:
$ fedpkg build --target=epel8-build-side-92634
Since this is my first multi-package build, please let me know if I messed anything up.
Thank you!
Cheeers, Frantisek
Hi František,
On Tue, Jul 16, 2024 at 02:08:23PM +0200, František Šumšal wrote:
Hey,
Due to a couple of CVEs I'll need to rebase botan2 in EPEL 8 to a slightly less ancient version (which also brings me to [0], about which I completely forgot after I took over the botan2 package, apologies for that). I tried to cherry-pick just the necessary patches, but there's a lot of conflicts/missing or moved files/etc. due to the version difference so, in my opinion, doing a rebase is a way safer option here (and it also makes future maintenance slightly less painful, since EPEL 8 will be with us for another almost five years).
I can't rebase to the latest 2.x version, since v2.19.2 drops support for the OpenSSL provider. I don't know if anyone uses it in EPEL 8, but I don't feel comfortable dropping it so far in EPEL 8's maintenance cycle. But from the maintenance point of view this is fine, since with v2.19.1 all necessary CVE patches (and other bugfixes I cherry-picked along the way) apply cleanly.
Since the rebase also bumps libbotan-2.so from libbotan-2.so.12.12.1 to libbotan-2.so.19.19.1, packages that depend on it will need to be rebuilt, namely:
$ dnf repoquery --enablerepo "epel*" --whatrequires "libbotan-2.so*" botan2-devel-0:2.12.1-4.el8.x86_64 corectrl-0:1.3.0-2.el8.x86_64 keepassxc-0:2.7.9-1.el8.x86_64 qca-qt5-botan-0:2.3.4-2.el8.x86_64
As I don't have provenpackage privileges, I created a side tag epel8-build-side-92634 with the rebased botan2 build (botan2-2.19.1-2.el8 ATTOW) and kindly ask the maintainers of the affected packages (CC'ed) to add their builds into it using:
$ fedpkg build --target=epel8-build-side-92634
Since this is my first multi-package build, please let me know if I messed anything up.
I can help with rebuilding dependent packages -- however, as this is an incompatible upgrade you need to follow this process:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/
Step one is this email; step two says you can build and submit to testing now if critical (but don't make it automatically request to stable based on time or karma)
But given step 3 (discussion for a week) and (4) you need to file an issue and get approval at the EPEL meeting, you probably want to hold off on continuing for now.
The meetings are on Wednesdays so we can take this up Wednesday next week if you file the EPEL issue next Tuesday (after allowing for a week of discussion).
Best,
Hey,
On 7/17/24 00:23, Michel Lind wrote:
Hi František,
On Tue, Jul 16, 2024 at 02:08:23PM +0200, František Šumšal wrote:
Hey,
Due to a couple of CVEs I'll need to rebase botan2 in EPEL 8 to a slightly less ancient version (which also brings me to [0], about which I completely forgot after I took over the botan2 package, apologies for that). I tried to cherry-pick just the necessary patches, but there's a lot of conflicts/missing or moved files/etc. due to the version difference so, in my opinion, doing a rebase is a way safer option here (and it also makes future maintenance slightly less painful, since EPEL 8 will be with us for another almost five years).
I can't rebase to the latest 2.x version, since v2.19.2 drops support for the OpenSSL provider. I don't know if anyone uses it in EPEL 8, but I don't feel comfortable dropping it so far in EPEL 8's maintenance cycle. But from the maintenance point of view this is fine, since with v2.19.1 all necessary CVE patches (and other bugfixes I cherry-picked along the way) apply cleanly.
Since the rebase also bumps libbotan-2.so from libbotan-2.so.12.12.1 to libbotan-2.so.19.19.1, packages that depend on it will need to be rebuilt, namely:
$ dnf repoquery --enablerepo "epel*" --whatrequires "libbotan-2.so*" botan2-devel-0:2.12.1-4.el8.x86_64 corectrl-0:1.3.0-2.el8.x86_64 keepassxc-0:2.7.9-1.el8.x86_64 qca-qt5-botan-0:2.3.4-2.el8.x86_64
As I don't have provenpackage privileges, I created a side tag epel8-build-side-92634 with the rebased botan2 build (botan2-2.19.1-2.el8 ATTOW) and kindly ask the maintainers of the affected packages (CC'ed) to add their builds into it using:
$ fedpkg build --target=epel8-build-side-92634
Since this is my first multi-package build, please let me know if I messed anything up.
I can help with rebuilding dependent packages -- however, as this is an incompatible upgrade you need to follow this process:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/
*sigh*, I knew I forgot something important. Apologies for that and many thanks for pointing it out!
Step one is this email; step two says you can build and submit to testing now if critical (but don't make it automatically request to stable based on time or karma)
But given step 3 (discussion for a week) and (4) you need to file an issue and get approval at the EPEL meeting, you probably want to hold off on continuing for now.
The meetings are on Wednesdays so we can take this up Wednesday next week if you file the EPEL issue next Tuesday (after allowing for a week of discussion).
Will do. Many thanks!
Cheers, Frantisek
Hi František,
On Wed, Jul 17, 2024 at 10:36:01AM +0200, František Šumšal wrote:
Due to a couple of CVEs I'll need to rebase botan2 in EPEL 8 to a slightly less ancient version (which also brings me to [0], about which I completely forgot after I took over the botan2 package, apologies for that). I tried to cherry-pick just the necessary patches, but there's a lot of conflicts/missing or moved files/etc. due to the version difference so, in my opinion, doing a rebase is a way safer option here (and it also makes future maintenance slightly less painful, since EPEL 8 will be with us for another almost five years).
I can't rebase to the latest 2.x version, since v2.19.2 drops support for the OpenSSL provider. I don't know if anyone uses it in EPEL 8, but I don't feel comfortable dropping it so far in EPEL 8's maintenance cycle. But from the maintenance point of view this is fine, since with v2.19.1 all necessary CVE patches (and other bugfixes I cherry-picked along the way) apply cleanly.
Since the rebase also bumps libbotan-2.so from libbotan-2.so.12.12.1 to libbotan-2.so.19.19.1, packages that depend on it will need to be rebuilt, namely:
$ dnf repoquery --enablerepo "epel*" --whatrequires "libbotan-2.so*" botan2-devel-0:2.12.1-4.el8.x86_64 corectrl-0:1.3.0-2.el8.x86_64 keepassxc-0:2.7.9-1.el8.x86_64 qca-qt5-botan-0:2.3.4-2.el8.x86_64
As I don't have provenpackage privileges, I created a side tag epel8-build-side-92634 with the rebased botan2 build (botan2-2.19.1-2.el8 ATTOW) and kindly ask the maintainers of the affected packages (CC'ed) to add their builds into it using:
$ fedpkg build --target=epel8-build-side-92634
Since this is my first multi-package build, please let me know if I messed anything up.
I can help with rebuilding dependent packages -- however, as this is an incompatible upgrade you need to follow this process:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/
*sigh*, I knew I forgot something important. Apologies for that and many thanks for pointing it out!
We've clarified the policy at the last EPEL meeting:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/...
you can now file the issue requesting an incompatible upgrade immediately, and we'll schedule it for a vote after a week of discussion - that way you don't need to remember to file it after a week has passed.
So if you file it anytime between now and Wednesday, we'll take this up at next Wednesday's meeting.
Best regards,
On 7/19/24 05:42, Michel Lind wrote:
Hi František,
On Wed, Jul 17, 2024 at 10:36:01AM +0200, František Šumšal wrote:
Due to a couple of CVEs I'll need to rebase botan2 in EPEL 8 to a slightly less ancient version (which also brings me to [0], about which I completely forgot after I took over the botan2 package, apologies for that). I tried to cherry-pick just the necessary patches, but there's a lot of conflicts/missing or moved files/etc. due to the version difference so, in my opinion, doing a rebase is a way safer option here (and it also makes future maintenance slightly less painful, since EPEL 8 will be with us for another almost five years).
I can't rebase to the latest 2.x version, since v2.19.2 drops support for the OpenSSL provider. I don't know if anyone uses it in EPEL 8, but I don't feel comfortable dropping it so far in EPEL 8's maintenance cycle. But from the maintenance point of view this is fine, since with v2.19.1 all necessary CVE patches (and other bugfixes I cherry-picked along the way) apply cleanly.
Since the rebase also bumps libbotan-2.so from libbotan-2.so.12.12.1 to libbotan-2.so.19.19.1, packages that depend on it will need to be rebuilt, namely:
$ dnf repoquery --enablerepo "epel*" --whatrequires "libbotan-2.so*" botan2-devel-0:2.12.1-4.el8.x86_64 corectrl-0:1.3.0-2.el8.x86_64 keepassxc-0:2.7.9-1.el8.x86_64 qca-qt5-botan-0:2.3.4-2.el8.x86_64
As I don't have provenpackage privileges, I created a side tag epel8-build-side-92634 with the rebased botan2 build (botan2-2.19.1-2.el8 ATTOW) and kindly ask the maintainers of the affected packages (CC'ed) to add their builds into it using:
$ fedpkg build --target=epel8-build-side-92634
Since this is my first multi-package build, please let me know if I messed anything up.
I can help with rebuilding dependent packages -- however, as this is an incompatible upgrade you need to follow this process:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/
*sigh*, I knew I forgot something important. Apologies for that and many thanks for pointing it out!
We've clarified the policy at the last EPEL meeting:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/...
you can now file the issue requesting an incompatible upgrade immediately, and we'll schedule it for a vote after a week of discussion
- that way you don't need to remember to file it after a week has passed.
So if you file it anytime between now and Wednesday, we'll take this up at next Wednesday's meeting.
Excellent, thank you! I just filed https://pagure.io/epel/issue/287.
Cheers, Frantisek
On Tue, Jul 23, 2024 at 01:36:52PM +0200, František Šumšal wrote:
On 7/19/24 05:42, Michel Lind wrote:
Hi František,
On Wed, Jul 17, 2024 at 10:36:01AM +0200, František Šumšal wrote:
Due to a couple of CVEs I'll need to rebase botan2 in EPEL 8 to a slightly less ancient version (which also brings me to [0], about which I completely forgot after I took over the botan2 package, apologies for that). I tried to cherry-pick just the necessary patches, but there's a lot of conflicts/missing or moved files/etc. due to the version difference so, in my opinion, doing a rebase is a way safer option here (and it also makes future maintenance slightly less painful, since EPEL 8 will be with us for another almost five years).
I can't rebase to the latest 2.x version, since v2.19.2 drops support for the OpenSSL provider. I don't know if anyone uses it in EPEL 8, but I don't feel comfortable dropping it so far in EPEL 8's maintenance cycle. But from the maintenance point of view this is fine, since with v2.19.1 all necessary CVE patches (and other bugfixes I cherry-picked along the way) apply cleanly.
Since the rebase also bumps libbotan-2.so from libbotan-2.so.12.12.1 to libbotan-2.so.19.19.1, packages that depend on it will need to be rebuilt, namely:
$ dnf repoquery --enablerepo "epel*" --whatrequires "libbotan-2.so*" botan2-devel-0:2.12.1-4.el8.x86_64 corectrl-0:1.3.0-2.el8.x86_64 keepassxc-0:2.7.9-1.el8.x86_64 qca-qt5-botan-0:2.3.4-2.el8.x86_64
As I don't have provenpackage privileges, I created a side tag epel8-build-side-92634 with the rebased botan2 build (botan2-2.19.1-2.el8 ATTOW) and kindly ask the maintainers of the affected packages (CC'ed) to add their builds into it using:
$ fedpkg build --target=epel8-build-side-92634
Since this is my first multi-package build, please let me know if I messed anything up.
I can help with rebuilding dependent packages -- however, as this is an incompatible upgrade you need to follow this process:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/
*sigh*, I knew I forgot something important. Apologies for that and many thanks for pointing it out!
We've clarified the policy at the last EPEL meeting:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/...
you can now file the issue requesting an incompatible upgrade immediately, and we'll schedule it for a vote after a week of discussion
- that way you don't need to remember to file it after a week has passed.
So if you file it anytime between now and Wednesday, we'll take this up at next Wednesday's meeting.
Excellent, thank you! I just filed https://pagure.io/epel/issue/287.
This has been approved at the meeting today. Yaakov (cc:ed) had some observations about one of the packages that he'll share here separately.
Cheers,
Hey!
On 7/24/24 21:51, Michel Lind wrote:
On Tue, Jul 23, 2024 at 01:36:52PM +0200, František Šumšal wrote:
On 7/19/24 05:42, Michel Lind wrote:
Hi František,
On Wed, Jul 17, 2024 at 10:36:01AM +0200, František Šumšal wrote:
Due to a couple of CVEs I'll need to rebase botan2 in EPEL 8 to a slightly less ancient version (which also brings me to [0], about which I completely forgot after I took over the botan2 package, apologies for that). I tried to cherry-pick just the necessary patches, but there's a lot of conflicts/missing or moved files/etc. due to the version difference so, in my opinion, doing a rebase is a way safer option here (and it also makes future maintenance slightly less painful, since EPEL 8 will be with us for another almost five years).
I can't rebase to the latest 2.x version, since v2.19.2 drops support for the OpenSSL provider. I don't know if anyone uses it in EPEL 8, but I don't feel comfortable dropping it so far in EPEL 8's maintenance cycle. But from the maintenance point of view this is fine, since with v2.19.1 all necessary CVE patches (and other bugfixes I cherry-picked along the way) apply cleanly.
Since the rebase also bumps libbotan-2.so from libbotan-2.so.12.12.1 to libbotan-2.so.19.19.1, packages that depend on it will need to be rebuilt, namely:
$ dnf repoquery --enablerepo "epel*" --whatrequires "libbotan-2.so*" botan2-devel-0:2.12.1-4.el8.x86_64 corectrl-0:1.3.0-2.el8.x86_64 keepassxc-0:2.7.9-1.el8.x86_64 qca-qt5-botan-0:2.3.4-2.el8.x86_64
As I don't have provenpackage privileges, I created a side tag epel8-build-side-92634 with the rebased botan2 build (botan2-2.19.1-2.el8 ATTOW) and kindly ask the maintainers of the affected packages (CC'ed) to add their builds into it using:
$ fedpkg build --target=epel8-build-side-92634
Since this is my first multi-package build, please let me know if I messed anything up.
I can help with rebuilding dependent packages -- however, as this is an incompatible upgrade you need to follow this process:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/
*sigh*, I knew I forgot something important. Apologies for that and many thanks for pointing it out!
We've clarified the policy at the last EPEL meeting:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/...
you can now file the issue requesting an incompatible upgrade immediately, and we'll schedule it for a vote after a week of discussion
- that way you don't need to remember to file it after a week has passed.
So if you file it anytime between now and Wednesday, we'll take this up at next Wednesday's meeting.
Excellent, thank you! I just filed https://pagure.io/epel/issue/287.
This has been approved at the meeting today. Yaakov (cc:ed) had some observations about one of the packages that he'll share here separately.
Thank you! I reviewed and merged patches for the issues that were raised during the meeting (thanks to all involved!) and built the package in a new side tag:
$ koji list-tagged epel8-build-side-93327 Build Tag Built by ---------------------------------------- -------------------- ---------------- botan2-2.19.1-4.el8 epel8-build-side-93327 mrc0mmand
Now it should be, hopefully, ready for rebuilds of the dependent packages by either the respective maintainers (CC'ed) or by a proven packager.
Cheers, Frantisek
Hello,
Apologies for the delay - I got heavily side-tracked by RHEL 10 work and failed to push this one through.
I created a yet another EPEL 8 side-tag (hopefully the last one):
$ koji list-tagged epel8-build-side-98352 Build Tag Built by ---------------------------------------- -------------------- ---------------- botan2-2.19.1-5.el8 epel8-build-side-98352 mrc0mmand
And I'm kindly asking if any provenpackager (CC Michel) could lend a hand and help me to rebuild the necessary dependencies (corectrl, keepassxc, qca [for qca-qt5-botan]) into the aforementioned side-tag.
Thank you!
On 8/1/24 11:28, František Šumšal wrote:
Hey!
On 7/24/24 21:51, Michel Lind wrote:
On Tue, Jul 23, 2024 at 01:36:52PM +0200, František Šumšal wrote:
On 7/19/24 05:42, Michel Lind wrote:
Hi František,
On Wed, Jul 17, 2024 at 10:36:01AM +0200, František Šumšal wrote:
> > Due to a couple of CVEs I'll need to rebase botan2 in EPEL 8 to a slightly less ancient version (which also brings me to [0], about which I completely forgot after I took over the botan2 package, apologies for that). I tried to cherry-pick just the necessary patches, but there's a lot of conflicts/missing or moved files/etc. due to the version difference so, in my opinion, doing a rebase is a way safer option here (and it also makes future maintenance slightly less painful, since EPEL 8 will be with us for another almost five years). > > I can't rebase to the latest 2.x version, since v2.19.2 drops support for the OpenSSL provider. I don't know if anyone uses it in EPEL 8, but I don't feel comfortable dropping it so far in EPEL 8's maintenance cycle. But from the maintenance point of view this is fine, since with v2.19.1 all necessary CVE patches (and other bugfixes I cherry-picked along the way) apply cleanly. > > Since the rebase also bumps libbotan-2.so from libbotan-2.so.12.12.1 to libbotan-2.so.19.19.1, packages that depend on it will need to be rebuilt, namely: > > $ dnf repoquery --enablerepo "epel*" --whatrequires "libbotan-2.so*" > botan2-devel-0:2.12.1-4.el8.x86_64 > corectrl-0:1.3.0-2.el8.x86_64 > keepassxc-0:2.7.9-1.el8.x86_64 > qca-qt5-botan-0:2.3.4-2.el8.x86_64 > > As I don't have provenpackage privileges, I created a side tag epel8-build-side-92634 with the rebased botan2 build (botan2-2.19.1-2.el8 ATTOW) and kindly ask the maintainers of the affected packages (CC'ed) to add their builds into it using: > > $ fedpkg build --target=epel8-build-side-92634 > > Since this is my first multi-package build, please let me know if I messed anything up. > I can help with rebuilding dependent packages -- however, as this is an incompatible upgrade you need to follow this process:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/
*sigh*, I knew I forgot something important. Apologies for that and many thanks for pointing it out!
We've clarified the policy at the last EPEL meeting:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/...
you can now file the issue requesting an incompatible upgrade immediately, and we'll schedule it for a vote after a week of discussion
- that way you don't need to remember to file it after a week has
passed.
So if you file it anytime between now and Wednesday, we'll take this up at next Wednesday's meeting.
Excellent, thank you! I just filed https://pagure.io/epel/issue/287.
This has been approved at the meeting today. Yaakov (cc:ed) had some observations about one of the packages that he'll share here separately.
Thank you! I reviewed and merged patches for the issues that were raised during the meeting (thanks to all involved!) and built the package in a new side tag:
$ koji list-tagged epel8-build-side-93327 Build Tag Built by ---------------------------------------- -------------------- ---------------- botan2-2.19.1-4.el8 epel8-build-side-93327 mrc0mmand
Now it should be, hopefully, ready for rebuilds of the dependent packages by either the respective maintainers (CC'ed) or by a proven packager.
Cheers, Frantisek
epel-devel@lists.fedoraproject.org
-
František Šumšal -
Michel Lind