Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport

[Emilio Pozuelo Monfort <pochu@debian.org>]

On 14/12/2018 09:08, Emilio Pozuelo Monfort wrote:
> On 13/12/2018 21:14, Antoine Beaupré wrote:
>> Hi,
>>
>> This is the latest update in the Thunderbird / Enigmail changes that are
>> happening in jessie. I have built a series of test packages, partly from
>> stretch (gnupg2, enigmail) and partly from backports (libassuan,
>> libgcrypt, libgpg-error, npth) and uploaded them here:
>>
>> https://people.debian.org/~anarcat/debian/jessie-lts/
>>
>> I need people to test those packages, and not just enigmail users. Some
>> of those packages have pernicious and deep ramifications. I am
>> particularly worried about libgcrypt, which is used for example by
>> cryptsetup.
> 
> I see that your tests have gone well so far (except for enigmail itself for
> unrelated reasons as you explain). This is great work, and I don't mean to push
> back on it. However given the impact of these library updates, I was wondering
> if we have considered to just mark enigmail as EOL in jessie? Obviously if we
> can keep supporting stuff we should do that, but as you say these library
> updates affect important unrelated rdeps so we need to weigh that.
> 
> BTW I have briefly looked at the versions you have backported, and I wonder why
> npth and libgpg-error have deb8u3 rather than deb8u1?
> 
> I haven't looked at your changes yet, but I will find some time to look at them
> and give these packages a try.

Looking at a jessie -> jessie-new diff, I see that several -dbg packages are
gone in your backports. There are some mingw builds as well, which in some cases
don't seemto be installed, but e.g. libgpg-error actually adds a mingw package.
I would remove all that stuff.

The npth diff is pretty trivial, basically comes down to this:

 src/npth.c                                     |  132 ++++

libassuan is a bit larger, but not too bad:

$ diff libassuan-2.*/src/ | diffstat | tail -1
 26 files changed, 1492 insertions(+), 510 deletions(-)

(some of that is Makefile.in)

libgpg-error has some autogenerated stuff, ignoring that it's mostly this:

 estream.c                                            | 1456 +++++++++++++------

libgcrypt is a bit more worrying, even after dropping most of the noise:

$ diff libgcrypt20-1.*/ | filterdiff -x '*.pc/*' -x '*/debian/*' -x '*/tests/*'
| diffstat | tail -1
 263 files changed, 51927 insertions(+), 14888 deletions(-)

FWIW I see that Ubuntu added OpenPGP.js back, and is using gnupg 2.0.x in
trusty. We ruled that out because supporting gnupg 2.0.x is unfeasible or
because we are missing some dependencies for OpenGPG.js ? Can't we just use the
bundled code inside enigmail? Sorry if these questions have already been
answered. I have looked at the various long threads but wasn't sure.

Cheers,
Emilio