[debbugs-tracker] bug#30448: closed (Update librsync to 2.0.1)

[GNU bug Tracking System]

Your message dated Tue, 12 Feb 2019 19:00:35 -0500
with message-id <address@hidden>
and subject line Re: Breaking rdiff-backup and btar (was Re: [bug#30448] Update 
librsync to 2.0.1)
has caused the debbugs.gnu.org bug report #30448,
regarding Update librsync to 2.0.1
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
30448: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=30448
GNU Bug Tracking System
Contact address@hidden with problems

--- Begin Message --- Subject: Update librsync to 2.0.1 Date: Tue, 13 Feb 2018 14:01:13 -0500 User-agent: Mutt/1.9.3 (2018-01-21)

librsync 2.0.1 is available at a new upstream URL:

https://github.com/librsync/librsync/releases

Patch attached.

This would also include the fix for CVE-2014-8242, which is about use of
a cryptographically broken hash function (truncated MD4), released in
librsync 1.0.0.

However, at least btar and rdiff-backup aren't compatible with this new
version of librsync (I'm still building deja-dup to test its
compatibility).

Additionally, I noticed that the built package doesn't keep any
references to bzip2 or zlib, which seems wrong to me.

Is anyone using one of the dependent packages interested in looking more
closely at this?

0001-gnu-librsync-Update-to-2.0.1.patch
Description: Text document

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message --- Subject: Re: Breaking rdiff-backup and btar (was Re: [bug#30448] Update librsync to 2.0.1) Date: Tue, 12 Feb 2019 19:00:35 -0500 User-agent: Mutt/1.11.2 (2019-01-07)

On Wed, Apr 25, 2018 at 01:23:33PM -0400, Leo Famulari wrote:
> Btw, the affected packages (btar, rdiff-backup, and duplicity) are the
> only users of librsync in Guix. So I think there is no reason to
> update librsync for now.

Closing this bug ticket...

signature.asc
Description: PGP signature

--- End Message ---