[arch-dev-public] Orphaning crypto++

Maxime Gauduin alucryd at archlinux.org
Fri Dec 6 18:38:23 UTC 2019


On Thu, 2019-12-05 at 23:53 +0100, Baptiste Jonglez wrote:
> Hi,
> 
> I plan to orphan crypto++ [1] soon: I don't maintain any package that
> depends on it anymore, and it's becoming annoying to maintain.
> 
> For instance, there was a significant security issue on July 2019
> [2], and
> 5 months later there is still no upstream release even though a patch
> is
> available [3].  I just patched the Arch package but it raises the
> question
> of whether we want to have such a crypto library in our repositories.
> 
> Here are the packages that currently depend on crypto++:
> 
> - amule
> - clementine
> - kvazaar
> - rbutil
> - ceph (makedepends)
> 
> If nobody steps up to adopt it before December 20th, I will drop it
> to the
> AUR.  In that case, I will send a reminder to find a solution for the
> above packages.
> 
> Thanks,
> Baptiste		    
> 
> [1] https://www.archlinux.org/packages/community/x86_64/crypto++/
> [2] https://security.archlinux.org/CVE-2019-14318
> [3] https://github.com/weidai11/cryptopp/issues/869

Hi Baptiste,

Since I have 2 packages depending on it, I may have to take it off your
hands.

That said, I've been considering dropping clementine to AUR for a
while. It needs a lot of patching, is built from an unstable qt5
branch, and has a lot of better alternatives, including a fully
featured qt5 fork named strawberry.

rbutil is another beast, they release once every 10 years and crypto++
was introduced in the very latest that was released less than a month
ago. I don't think there's a solution for this one.

Cheers,
-- 
Maxime


More information about the arch-dev-public mailing list