[arch-dev-public] Orphaning crypto++
Maxime Gauduin
alucryd at archlinux.org
Fri Dec 6 18:38:23 UTC 2019
On Thu, 2019-12-05 at 23:53 +0100, Baptiste Jonglez wrote:
> Hi,
>
> I plan to orphan crypto++ [1] soon: I don't maintain any package that
> depends on it anymore, and it's becoming annoying to maintain.
>
> For instance, there was a significant security issue on July 2019
> [2], and
> 5 months later there is still no upstream release even though a patch
> is
> available [3]. I just patched the Arch package but it raises the
> question
> of whether we want to have such a crypto library in our repositories.
>
> Here are the packages that currently depend on crypto++:
>
> - amule
> - clementine
> - kvazaar
> - rbutil
> - ceph (makedepends)
>
> If nobody steps up to adopt it before December 20th, I will drop it
> to the
> AUR. In that case, I will send a reminder to find a solution for the
> above packages.
>
> Thanks,
> Baptiste
>
> [1] https://www.archlinux.org/packages/community/x86_64/crypto++/
> [2] https://security.archlinux.org/CVE-2019-14318
> [3] https://github.com/weidai11/cryptopp/issues/869
Hi Baptiste,
Since I have 2 packages depending on it, I may have to take it off your
hands.
That said, I've been considering dropping clementine to AUR for a
while. It needs a lot of patching, is built from an unstable qt5
branch, and has a lot of better alternatives, including a fully
featured qt5 fork named strawberry.
rbutil is another beast, they release once every 10 years and crypto++
was introduced in the very latest that was released less than a month
ago. I don't think there's a solution for this one.
Cheers,
--
Maxime
More information about the arch-dev-public
mailing list