First off, thanks to Antoine not only for doing all this work for jessie, but for helping out with getting stretch in better shape. If we aim to support our users for an LTS distro, this is exactly the sort of thing we need done. If we're realistically talking about actually dropping support for enigmail on jessie on the grounds that not many people are using it for destkop systems at all, then i think we should instead consider dropping thunderbird itself from jessie. (alternately, of course, we could just drop jessie entirely and encourage an upgrade to debian stable instead, but that doesn't seem to be the consensus on this debian-lts list) On Wed 2018-12-19 11:59:46 -0500, Antoine Beaupré wrote: > On 2018-12-18 14:34:06, Emilio Pozuelo Monfort wrote: >> libgcrypt is a bit more worrying, even after dropping most of the noise: >> >> $ diff libgcrypt20-1.*/ | filterdiff -x '*.pc/*' -x '*/debian/*' -x '*/tests/*' >> | diffstat | tail -1 >> 263 files changed, 51927 insertions(+), 14888 deletions(-) > > Yeah, that's my concern as well. > > Daniel, what do you think of that diff? Is that something we can > reasonably review? How much can we expect stability in that upgrade? > > I know you stated before general principles of gpg vs lib / API > stability, but I'd be curious to hear your thoughts on gcrypt, in this > specific case. I agree that an upgrade to gcrypt is the biggest risk here, and i'm not sure how to evaluate it other than running what meager rdep test suites we have in jessie. I don't know whether anyone who has been working on ci.debian.net is following this discussion, but i think it points to some really salient use cases for test infrastructure. How nice it would be if a DD could upload a prospective package and say "please run all test suites for reverse dependencies!" Andreas Metzler (cc'ed here) has been a stalwart steward of gcrypt in debian for many years, even after GnuTLS switched to nettle, and probably has the best sense of what kind of system integration dangers might lurk in the proposed upgrade for jessie. Perhaps he can comment on it? as rdeps go, systemd is the scariest of the lot (breaking systemd with a dep upgrade would be bad bad bad) but frankly, i'm not worried there. systemd does link against gcrypt, it is used primarily for cryptographic digests (hashes) in any significant way across the codebase, which i'm not worried about breaking across an upgrade. It is only used in any complex way in systemd in two places, afaict: * systemd-journald (its forward-secure pseudorandom generator, and its authenticator function), and * systemd-resolved's DNSSEC verification. These are both pretty advanced systemd features (i don't know how well either of them have ever been tested in jessie at all, fwiw) and i have a hard time imagining that anyone stuck on jessie is actually using either of them. Regards, --dkg
Attachment:
signature.asc
Description: PGP signature