pycryptodome bundles libtomcrypt, fonts, JavaScript and CSS

  • Open
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Maxime Devos
Owner
unassigned
Submitted by
Maxime Devos
Severity
normal
M
M
Maxime Devos wrote on 11 Jul 2021 23:17
(address . bug-guix@gnu.org)
cbcedc616fdc1e4f97075b81fc17a290f2c46684.camel@telenet.be
X-Debbugs-CC: slg <0x2d@disroot.org>

Hi guix,

In the context of https://issues.guix.gnu.org/49123;, I looked
at the source code of pycryptodome, version 3.10.1. It bundles
some fonts, javascript, CSS, and libtomcrypt. That's not the
version packaged in guix, but presumably version 3.9.9 has
the same issues as well.

More specifically, the following things are bundled:

Doc/sphinx_rtd_theme/static/js/theme.js: Minified
javascript code. It starts with
/* sphinx_rtd_theme version 0.4.0 | MIT license */

Doc/sphinx_rtd_theme/static/js/modernizr.min.js:
Likewise, and starts with /* Modernizr 2.6.2 (Custom Build) | MIT & BSD */

Doc/sphinx_rtd_theme/static/fonts: Various fonts
(‘font awesome’, ‘roboto slab’, ‘lato’, ‘inconsolata’).

Doc/sphinx_rtd_theme/static/css: Minified CSS. One file starts with
/* sphinx_rtd_theme version 0.4.0 | MIT license */, the other is of unknon
origin. There are also 'css.map' files. I don't know what these are.

src/libtom: Bundled headers from 'libtomcrypt'. Curiously, I don't see
corresponding '.c' files.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYOtfwhccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7mDbAQDB83SvZKTkzTF5ZP25qMSpD+Lo
wLEdsboLXrVtDyylGwD+L/l0FVePn2Tj4GIf0K23DH6GB2M3+Hdsli6JvzFtBwg=
=GVxC
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 12 Jul 2021 01:07
(name . Maxime Devos)(address . maximedevos@telenet.be)
YOt5yKR/oG1dFTHp@jasmine.lan
On Sun, Jul 11, 2021 at 11:17:03PM +0200, Maxime Devos wrote:
Toggle quote (3 lines)
> src/libtom: Bundled headers from 'libtomcrypt'. Curiously, I don't see
> corresponding '.c' files.

Libtomcrypt is commonly embedded into other programs. For example, our
Dropbear package contained a modified copy of it for a long time, until
commit f72ff06ef8a83a78ad625fe50ee5bb618ea4f37c.

It may be that it can be used as a "headers only" library.
M
M
Maxime Devos wrote on 14 Jul 2021 12:01
(name . Leo Famulari)(address . leo@famulari.name)
5688ca3f46593b1ed9af0b61eb76e870b86e9611.camel@telenet.be
Leo Famulari schreef op zo 11-07-2021 om 19:07 [-0400]:
Toggle quote (10 lines)
> On Sun, Jul 11, 2021 at 11:17:03PM +0200, Maxime Devos wrote:
> > src/libtom: Bundled headers from 'libtomcrypt'. Curiously, I don't see
> > corresponding '.c' files.
>
> Libtomcrypt is commonly embedded into other programs. For example, our
> Dropbear package contained a modified copy of it for a long time, until
> commit f72ff06ef8a83a78ad625fe50ee5bb618ea4f37c.
>
> It may be that it can be used as a "headers only" library.

It turns out there is a C file after all: tomcrypt_des.c.
I sent a patch (https://issues.guix.gnu.org/49543)to unbundle
it and the headers.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iIwEABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYO613RccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7irlAPY3UtdKrIF5sN4MyqY3toMXMWUo
ZjKSmpI1ilj/NrNCAQCPMnHMzXbbuUVrMlp7Za5yF+CXEVB7cvBMMYcZEz+9AQ==
=Fme0
-----END PGP SIGNATURE-----


?