[arch-dev-public] Orphaning crypto++

Baptiste Jonglez baptiste at bitsofnetworks.org
Thu Dec 5 22:53:49 UTC 2019


Hi,

I plan to orphan crypto++ [1] soon: I don't maintain any package that
depends on it anymore, and it's becoming annoying to maintain.

For instance, there was a significant security issue on July 2019 [2], and
5 months later there is still no upstream release even though a patch is
available [3].  I just patched the Arch package but it raises the question
of whether we want to have such a crypto library in our repositories.

Here are the packages that currently depend on crypto++:

- amule
- clementine
- kvazaar
- rbutil
- ceph (makedepends)

If nobody steps up to adopt it before December 20th, I will drop it to the
AUR.  In that case, I will send a reminder to find a solution for the
above packages.

Thanks,
Baptiste		    

[1] https://www.archlinux.org/packages/community/x86_64/crypto++/
[2] https://security.archlinux.org/CVE-2019-14318
[3] https://github.com/weidai11/cryptopp/issues/869
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20191205/e9891fe7/attachment.sig>


More information about the arch-dev-public mailing list