[arch-dev-public] Orphaning crypto++
Hi, I plan to orphan crypto++ [1] soon: I don't maintain any package that depends on it anymore, and it's becoming annoying to maintain. For instance, there was a significant security issue on July 2019 [2], and 5 months later there is still no upstream release even though a patch is available [3]. I just patched the Arch package but it raises the question of whether we want to have such a crypto library in our repositories. Here are the packages that currently depend on crypto++: - amule - clementine - kvazaar - rbutil - ceph (makedepends) If nobody steps up to adopt it before December 20th, I will drop it to the AUR. In that case, I will send a reminder to find a solution for the above packages. Thanks, Baptiste [1] https://www.archlinux.org/packages/community/x86_64/crypto++/ [2] https://security.archlinux.org/CVE-2019-14318 [3] https://github.com/weidai11/cryptopp/issues/869
On Thu, 2019-12-05 at 23:53 +0100, Baptiste Jonglez wrote:
Hi,
I plan to orphan crypto++ [1] soon: I don't maintain any package that depends on it anymore, and it's becoming annoying to maintain.
For instance, there was a significant security issue on July 2019 [2], and 5 months later there is still no upstream release even though a patch is available [3]. I just patched the Arch package but it raises the question of whether we want to have such a crypto library in our repositories.
Here are the packages that currently depend on crypto++:
- amule - clementine - kvazaar - rbutil - ceph (makedepends)
If nobody steps up to adopt it before December 20th, I will drop it to the AUR. In that case, I will send a reminder to find a solution for the above packages.
Thanks, Baptiste
[1] https://www.archlinux.org/packages/community/x86_64/crypto++/ [2] https://security.archlinux.org/CVE-2019-14318 [3] https://github.com/weidai11/cryptopp/issues/869
Hi Baptiste, Since I have 2 packages depending on it, I may have to take it off your hands. That said, I've been considering dropping clementine to AUR for a while. It needs a lot of patching, is built from an unstable qt5 branch, and has a lot of better alternatives, including a fully featured qt5 fork named strawberry. rbutil is another beast, they release once every 10 years and crypto++ was introduced in the very latest that was released less than a month ago. I don't think there's a solution for this one. Cheers, -- Maxime
Hi, On 06-12-19, Maxime Gauduin via arch-dev-public wrote:
Hi Baptiste,
Since I have 2 packages depending on it, I may have to take it off your hands.
Thanks for the proposal, having a maintainer that actually uses the package will be a real improvement over the current situation!
That said, I've been considering dropping clementine to AUR for a while. It needs a lot of patching, is built from an unstable qt5 branch, and has a lot of better alternatives, including a fully featured qt5 fork named strawberry.
rbutil is another beast, they release once every 10 years and crypto++ was introduced in the very latest that was released less than a month ago. I don't think there's a solution for this one.
I had a look and indeed, rbutil really needs crypto++: https://git.rockbox.org/?p=rockbox.git;a=commit;h=dbeb6db1b55a50dedf17e7d78d... https://git.rockbox.org/?p=rockbox.git;a=commit;h=8b3f5a8ad7434850804a4a664d... https://git.rockbox.org/?p=rockbox.git;a=commit;h=759a78e5dff134f2632875f61a... So, if you want to keep rbutil, crypto++ should indeed stay in our repositories as well. Baptiste
participants (2)
-
Baptiste Jonglez
-
Maxime Gauduin