RFS: bouncycastle/1.48+dfsg-1 (new upstream release for experimental)

To: Debian Java <debian-java@lists.debian.org>
Subject: RFS: bouncycastle/1.48+dfsg-1 (new upstream release for experimental)
From: Emmanuel Bourg <ebourg@apache.org>
Date: Fri, 29 Mar 2013 15:09:06 +0100
Message-id: <[🔎] 5155A082.9070205@apache.org>

Hi all,

I upgraded the Bouncy Castle package for the latest version 1.48
released last month. This version fixes a security issue.

Starting with the version 1.47 there is no longer a bctsp jar shipped
upstream but a bcpkix jar with a broader scope. So the libbctsp-java
package has been replaced with a new libbcpkix-java package. This change
will affect libitext-java and libitext5-java.

Is there anything special to do to get the old libbctsp-java 1.46
package removed from the archive when the new libbcpkix-java package is
uploaded?

I noticed that Bouncy Castle provides a bcprov-ext jar that isn't
packaged yet. This jar has been introduced in the 1.39 release, it's a
superset of bcprov.jar that includes two extra encryption algorithms
(IDEA and NTRU). I'd like to package it but I'm unsure how to handle it.
I see 4 solutions:

1. Create a package libbcprov-ext-java that conflicts with
libbcprov-java (they would both install the same reference in
/etc/java/security/security.d)

2. Substitute bcprov.jar bundled in libbcprov-java with bcprov-ext.jar
(and add the necessary symlinks to map the two jars)

3. Create a package libbcprov-ext-java that contains only the new
encryption algorithms (this avoids the conflict but creates a jar that
diverges significantly from upstream)

4. Do nothing because I'll break cryptography export rules and get
arrested quickly :)

What do you think?


Considering the amount of changes this upload targets the experimental
distribution.

Here is the changelog:

 * New upstream release
   - Fixes the Lucky 13 attack on CBC-mode encryption in TLS
     CVE-2013-0169, CVE-2013-1624 (Closes: #699885)
 * Added the bcpkix packages
 * Removed the bctsp packages (the TSP API is now included in bcpkix)
 * Updated Standards-Version to 3.9.4: no changes needed.
 * Removed the DMUA flag
 * Refreshed the patches
 * Removed "Suggests: java-virtual-machine" on the libbcpg-java-gcj package


http://mentors.debian.net/package/bouncycastle

http://mentors.debian.net/debian/pool/main/b/bouncycastle/bouncycastle_1.48+dfsg-1.dsc


Thank you for your reviews,

Emmanuel Bourg

Attachment: smime.p7s
Description: Signature cryptographique S/MIME

Reply to:

Follow-Ups:
- Re: RFS: bouncycastle/1.48+dfsg-1 (new upstream release for experimental)
  - From: Hilko Bengen <bengen@debian.org>
- Re: RFS: bouncycastle/1.48+dfsg-1 (new upstream release for experimental)
  - From: Charles Plessy <plessy@debian.org>

Prev by Date: Re: RFS: eclipse-mylyn 3.8.3-1 (for experimental) - [UPLOADED]
Next by Date: Re: RFS: bouncycastle/1.48+dfsg-1 (new upstream release for experimental)
Previous by thread: RFS: liboro-java/2.0.8a-9
Next by thread: Re: RFS: bouncycastle/1.48+dfsg-1 (new upstream release for experimental)
Index(es):
- Date
- Thread