[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport

First off, thanks to Antoine not only for doing all this work for
jessie, but for helping out with getting stretch in better shape.

If we aim to support our users for an LTS distro, this is exactly the
sort of thing we need done.

If we're realistically talking about actually dropping support for
enigmail on jessie on the grounds that not many people are using it for
destkop systems at all, then i think we should instead consider dropping
thunderbird itself from jessie.

(alternately, of course, we could just drop jessie entirely and
encourage an upgrade to debian stable instead, but that doesn't seem to
be the consensus on this debian-lts list)

On Wed 2018-12-19 11:59:46 -0500, Antoine Beaupré wrote:
> On 2018-12-18 14:34:06, Emilio Pozuelo Monfort wrote:
>> libgcrypt is a bit more worrying, even after dropping most of the noise:
>> $ diff libgcrypt20-1.*/ | filterdiff -x '*.pc/*' -x '*/debian/*' -x '*/tests/*'
>> | diffstat | tail -1
>>  263 files changed, 51927 insertions(+), 14888 deletions(-)
> Yeah, that's my concern as well.
> Daniel, what do you think of that diff? Is that something we can
> reasonably review? How much can we expect stability in that upgrade?
> I know you stated before general principles of gpg vs lib / API
> stability, but I'd be curious to hear your thoughts on gcrypt, in this
> specific case.

I agree that an upgrade to gcrypt is the biggest risk here, and i'm not
sure how to evaluate it other than running what meager rdep test suites
we have in jessie.  I don't know whether anyone who has been working on
ci.debian.net is following this discussion, but i think it points to
some really salient use cases for test infrastructure.  How nice it
would be if a DD could upload a prospective package and say "please run
all test suites for reverse dependencies!"

Andreas Metzler (cc'ed here) has been a stalwart steward of gcrypt in
debian for many years, even after GnuTLS switched to nettle, and
probably has the best sense of what kind of system integration dangers
might lurk in the proposed upgrade for jessie.  Perhaps he can comment
on it?

as rdeps go, systemd is the scariest of the lot (breaking systemd with a
dep upgrade would be bad bad bad) but frankly, i'm not worried there.

systemd does link against gcrypt, it is used primarily for cryptographic
digests (hashes) in any significant way across the codebase, which i'm
not worried about breaking across an upgrade.  It is only used in any
complex way in systemd in two places, afaict:

 * systemd-journald (its forward-secure pseudorandom generator, and its
   authenticator function), and

 * systemd-resolved's DNSSEC verification.

These are both pretty advanced systemd features (i don't know how well
either of them have ever been tested in jessie at all, fwiw) and i have
a hard time imagining that anyone stuck on jessie is actually using
either of them.



Attachment: signature.asc
Description: PGP signature

Reply to: