libgcrypt soname bump in rawhide

Kalev Lember kalevlember at gmail.com
Wed Jul 2 16:03:33 UTC 2014


On 07/02/2014 05:24 PM, Stephen Gallagher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 07/02/2014 11:22 AM, Stephen Gallagher wrote:
>> On 07/02/2014 11:19 AM, Kalev Lember wrote:
>>> On 07/02/2014 05:13 PM, Stephen Gallagher wrote:
>>>> This is not an official solution, but I am now providing a
>>>> COPR for Rawhide installs that provides a compatibility library
>>>> for libgcrypt.
>>
>>> That's awesome, but can we get this in rawhide proper instead?
>>> I'd be happy to help get this through the review process if you
>>> need a reviewer.
>>
>>
>> Short answer: no. I don't have the time or inclination to attempt
>> to maintain a compat *crypto* library. There's far too much
>> possibility for disaster there.

Fair enough, that's totally understandable if you don't want to maintain
a crypto library. I just had to ask :)

However, we've got a F21 release looming closer and I'd like to make
sure major 3rd party apps keep working out of the box. And yes, this
includes Chrome.

This is especially important since we don't have Chromium in the Fedora
repositories; otherwise we could tell users to use that instead.

I feel like this is our (Fedora's) responsibility to provide a libgcrypt
compat package, since it's been part of standard ABI for a while and 3rd
party packages are likely to rely on it. In my book, it's fine to phase
a widely used ABI out, but not pull the plug in a single release.

It's unreasonable to ask 3rd party developers to follow Rawhide closely
and port stuff while F21 is still under development. A much better 3rd
party developer story would be saying:

  "Hi Mr. 3rd Party Developer, we've released F21 today with a new
   libcrypt. We'll remove old libcrypt in F22 but we are providing ABI
   compatiblity for F21 lifetime; you have 6 months to port your stuff."

Anyone here interested in maintaining a libgcrypt compat package for F21
lifetime? I'd be happy to help sort out packaging and get this through
the review process.

> To clarify: in my COPR, it's use-at-your-own-risk. If we moved it to
> Rawhide, I'm on the hook to make sure it's constantly kept up-to-date
> and keep track of vulnerabilities. I'm not prepared to take that level
> of ownership on. I only built this COPR because I was updating to
> Rawhide today and this bit me. I'm being nice and sharing it, with the
> expectation that it's really only meant for this singular use-case,
> which should be obsoleted as soon as Google moves to the newer
> libgcrypt (or bundles their own, whatever).

I'm afraid that this could lead to technically capable people using your
copr because it provides an easy way out, and leaving others out in the
cold. People who'd be able to fix this in rawhide proper switch to using
your copr, and end users who expect point and click Chrome installation
to work are going to be disappointed and look for alternatives.

-- 
Kalev


More information about the devel mailing list