(address . bug-guix@gnu.org)
Our Dropbear package bundles the libraries libtommath and libtomcrypt
[0], and their bundled changelogs imply that they date from 2006.
The Dropbear CHANGES [1] file shows that some attempt has been made to
cherry-pick some bug fixes. It also looks like Dropbear has made their
own changes to the bundled libraries.
Apparently it is possible to build against non-bundled libraries [2].
Both libraries have had new releases in the last ten years [3].
It appears that Debian does use the bundled libraries [4].
In July, I asked Matt Johnston, the Dropbear author, how far the bundled
copies had diverged from upstream and if it was safe to unbundle them,
but I didn't get a response.
[0]
[1]
[2]
"- Attempt to build against system libtomcrypt/libtommath if available.
This can be disabled with ./configure --enable-bundled-libtom"
[3]
[4]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJX/lN3AAoJECZG+jC6yn8IvvsQAK/VFIzM1ho2EWMIZmPnMlBJ
OKS0mY+Yuucwin+kMtKuw0IP8Rmf889LMP4vNbs9uT+3GtKuH/0FwoLBZb4yNUAv
AFwB/upPsKrL6wCY/FNpO51yjWtWb0hCPzmqHNQk2MWJc+D/zlySkip4K5hLGeV3
YiBR5iWfsdOSyqvM4GKR6HIMuYa8qAGVsaHwW/sGi5UXeYFYNs+thOYr5soSY/nw
QXcoHHjC+mlt6QA3ut2PHMH2PHv2o7LzXNIoMUOQsW4TnXeoqh2Y8NPNs1uezV+4
FgP21G8xSwjVSySGuYPbqIEGUsPaUrVeXd8xbZ+71HVIIXoKFttXj6jO/bpzloqZ
+6m+k/uHz+WfSQYOFMilOokhxzf76Kik8lLZdppd0r/vaM/LPsbea+B8EZTdP5ZJ
Wpu2JZPRIFraloAfe3xZ3O+n+UzNvzi3X3aC+J0wVrKPleRECpLWtjOBq+G/hKoh
5tD4fYLRsNtNe9sCKcaMyEj2wy0VLqFCbIFaI62d9Wcj/mq6LcjiSgO5cHKnSeEh
gOjlYAoUH4cbC8bTRBQblfT2WeFsCyfewL67t5kWPwRt1GPMkct7U3ebQ7ruj94Z
yXuzHbecdx43QKZHEqxrT4ICuchAXv94rVr6i8JrYWRH9RXRAi2WhbDahljfH7cW
x7+wVZq+SRyluow3O/Aw
=X/IN
-----END PGP SIGNATURE-----