Dropbear bundled libraries

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • zimoun
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 12 Oct 2016 17:15
(address . bug-guix@gnu.org)
20161012151503.GA22149@jasmine
Our Dropbear package bundles the libraries libtommath and libtomcrypt
[0], and their bundled changelogs imply that they date from 2006.

The Dropbear CHANGES [1] file shows that some attempt has been made to
cherry-pick some bug fixes. It also looks like Dropbear has made their
own changes to the bundled libraries.

Apparently it is possible to build against non-bundled libraries [2].
Both libraries have had new releases in the last ten years [3].

It appears that Debian does use the bundled libraries [4].

In July, I asked Matt Johnston, the Dropbear author, how far the bundled
copies had diverged from upstream and if it was safe to unbundle them,
but I didn't get a response.

[0]

[1]

[2]
"- Attempt to build against system libtomcrypt/libtommath if available.
This can be disabled with ./configure --enable-bundled-libtom"

[3]

[4]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX/lN3AAoJECZG+jC6yn8IvvsQAK/VFIzM1ho2EWMIZmPnMlBJ
OKS0mY+Yuucwin+kMtKuw0IP8Rmf889LMP4vNbs9uT+3GtKuH/0FwoLBZb4yNUAv
AFwB/upPsKrL6wCY/FNpO51yjWtWb0hCPzmqHNQk2MWJc+D/zlySkip4K5hLGeV3
YiBR5iWfsdOSyqvM4GKR6HIMuYa8qAGVsaHwW/sGi5UXeYFYNs+thOYr5soSY/nw
QXcoHHjC+mlt6QA3ut2PHMH2PHv2o7LzXNIoMUOQsW4TnXeoqh2Y8NPNs1uezV+4
FgP21G8xSwjVSySGuYPbqIEGUsPaUrVeXd8xbZ+71HVIIXoKFttXj6jO/bpzloqZ
+6m+k/uHz+WfSQYOFMilOokhxzf76Kik8lLZdppd0r/vaM/LPsbea+B8EZTdP5ZJ
Wpu2JZPRIFraloAfe3xZ3O+n+UzNvzi3X3aC+J0wVrKPleRECpLWtjOBq+G/hKoh
5tD4fYLRsNtNe9sCKcaMyEj2wy0VLqFCbIFaI62d9Wcj/mq6LcjiSgO5cHKnSeEh
gOjlYAoUH4cbC8bTRBQblfT2WeFsCyfewL67t5kWPwRt1GPMkct7U3ebQ7ruj94Z
yXuzHbecdx43QKZHEqxrT4ICuchAXv94rVr6i8JrYWRH9RXRAi2WhbDahljfH7cW
x7+wVZq+SRyluow3O/Aw
=X/IN
-----END PGP SIGNATURE-----


Z
Z
zimoun wrote on 18 Dec 2020 20:53
(name . Leo Famulari)(address . leo@famulari.name)(address . 24674@debbugs.gnu.org)
86tusivqks.fsf@gmail.com
Hi,

On Wed, 12 Oct 2016 at 11:15, Leo Famulari <leo@famulari.name> wrote:
Toggle quote (3 lines)
> Our Dropbear package bundles the libraries libtommath and libtomcrypt
> [0], and their bundled changelogs imply that they date from 2006.

Since the package still contains the comment:

Toggle snippet (6 lines)
(arguments `(#:tests? #f)) ; there is no "make check" or anything similar
;; TODO: Investigate unbundling libtommath and libtomcrypt or at least
;; cherry-picking important bug fixes from them. See <bugs.gnu.org/24674>
;; for more information.

with the last update 2020-10-29, I propose to mark it as ’severe’ and
put it in the list of bugs which should be fixed for the next (or
next-next) release. WDYT?

All the best,
simon
L
L
Leo Famulari wrote on 18 Dec 2020 22:29
(name . zimoun)(address . zimon.toutoune@gmail.com)(address . 24674@debbugs.gnu.org)
X90fQaMl9R2Ko0jP@jasmine.lan
On Fri, Dec 18, 2020 at 08:53:23PM +0100, zimoun wrote:
Toggle quote (4 lines)
> with the last update 2020-10-29, I propose to mark it as ’severe’ and
> put it in the list of bugs which should be fixed for the next (or
> next-next) release. WDYT?

Dropbear 2020.79 includes this text in the CHANGES file:

------
- Upgrade libtomcrypt to 1.18.2 and libtommath to 1.2.0, many thanks to Steffen Jaeckel for
updating Dropbear to use the current API. Dropbear's configure script will check
for sufficient system library versions, otherwise using the bundled versions.
------

And in 2020.80:

------
- Improve checking libtomcrypt version compatibility
------

So, it might be possible now to use "system" copies of these libraries.
Previously, I couldn't figure out how to do it work or if Dropbear would
continue to work correctly.

We have a package of libtommath 1.2.0.

TODO:
1) Package libtomcrypt 1.18.2
2) Try building Dropbear with libtommath and libtomcrypt Guix packages
L
L
Leo Famulari wrote on 19 Dec 2020 07:40
(name . zimoun)(address . zimon.toutoune@gmail.com)(address . 24674-done@debbugs.gnu.org)
X92gbs8VWqe4T/Vh@jasmine.lan
On Fri, Dec 18, 2020 at 04:29:37PM -0500, Leo Famulari wrote:
Toggle quote (4 lines)
> TODO:
> 1) Package libtomcrypt 1.18.2
> 2) Try building Dropbear with libtommath and libtomcrypt Guix packages

Packaging libtomcrypt is easy, but building Dropbear without using the
bundled libtom libraries is still not that simple. I tried building
Dropbear with "--disable-bundled-libtom" but the build scripts don't
automatically find the shared libraries.

My primary motivation for filing this bug was the risk of serious bugs
in the old copies of the libtom libraries.

Since Dropbear has upgraded their copies, makes enough modifications
that they think it's worth forking, and because using the external
libraries is complicated, I'm closing this bug as-is. But I'm also
leaving the comment in the Dropbear package definition.
Closed
?