bug#24674: Dropbear bundled libraries

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#24674: Dropbear bundled libraries

From:	Leo Famulari
Subject:	bug#24674: Dropbear bundled libraries
Date:	Wed, 12 Oct 2016 11:15:03 -0400
User-agent:	Mutt/1.7.0 (2016-08-17)

Our Dropbear package bundles the libraries libtommath and libtomcrypt
[0], and their bundled changelogs imply that they date from 2006.

The Dropbear CHANGES [1] file shows that some attempt has been made to
cherry-pick some bug fixes. It also looks like Dropbear has made their
own changes to the bundled libraries.

Apparently it is possible to build against non-bundled libraries [2].
Both libraries have had new releases in the last ten years [3].

It appears that Debian does use the bundled libraries [4].

In July, I asked Matt Johnston, the Dropbear author, how far the bundled
copies had diverged from upstream and if it was safe to unbundle them,
but I didn't get a response.

[0]
https://github.com/libtom
https://github.com/mkj/dropbear/tree/master/libtomcrypt
https://github.com/mkj/dropbear/tree/master/libtommath

[1]
https://github.com/mkj/dropbear/blob/master/CHANGES#L481

[2]
https://github.com/mkj/dropbear/blob/master/CHANGES#L532
"- Attempt to build against system libtomcrypt/libtommath if available.
This can be disabled with ./configure --enable-bundled-libtom"

[3]
https://github.com/libtom/libtomcrypt/releases
https://github.com/libtom/libtommath/releases

[4]
https://packages.debian.org/sid/dropbear

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

bug#24674: Dropbear bundled libraries, Leo Famulari <=

Prev by Date: bug#24670: Unexpected EOF reading a line (from guix pull)
Next by Date: bug#24670: Unexpected EOF reading a line (from guix pull) [forward]
Previous by thread: bug#24670: Unexpected EOF reading a line (from guix pull)
Next by thread: bug#24684: invalid command-line syntax to herd causes a kernel panic?
Index(es):
- Date
- Thread