Re: [Monotone-devel] Patch to compile against Botan 2.x

monotone-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Monotone-devel] Patch to compile against Botan 2.x

From:	Jack Lloyd
Subject:	Re: [Monotone-devel] Patch to compile against Botan 2.x
Date:	Sun, 15 Oct 2017 18:49:31 -0000
User-agent:	Mutt/1.8.3 (2017-05-23)

On Sun, Oct 15, 2017 at 07:36:23PM +0200, Markus Wanner wrote:

> I committed your patch to net.venge.monotone.botan and continued from
> there on. Unfortunately, it didn't quite compile against any newer Botan
> version, so I continued to work on it.

Ah sorry about that, I will take another look at the patch and see
what happened.

> I added a new header file (src/botan.hh) to deduplicate some of the
> conditional imports.

That's a good idea.

> Cool, thanks. Given this won't appear before 2.3, I think monotone still
> needs dedicated includes for e.g. botan/filters.h to support 2.0 - 2.2,
> right?

Yes. It would probably be better to just include filters.h where
needed, instead of assuming botan.h pulls it in.

> Another unrelated question: You changed a couple of (not necessarily
> secure) byte vectors to DataSource_Memory. Whereas I figured I might
> simply use a vector<Botan::bytes>. What's the difference?

Hmm I'll have to look at the patch and get back to you on that, I
remember there was a good reason for that change but do not recall
what now.

> I don't known about other distros, but it's what Debian stable currently
> ships. And given it's just been released, I fear that statement will
> hold true for another roughly 2 years.

I know :( This is also true for EPEL7, Ubuntu 16.04, etc. Botan 2.x
package for Fedora/RHEL is created and past review, but now stuck in
some kind of limbo with RedHat legal review (they are paranoid about
patents). I contacted the current Debian maintainer for Botan 1.10
about submitting a new package for 2.x but have not heard back.

I think what's going to happen in practice is that after end of this
year we'll still continue to fix truly critical bugs in 1.10 (ie
remote code exec) if they arise, but stop backporting fixes for side
channels.

> I think it would make sense to require at least 1.10 from now on and
> drop everything older than that. I'm hesitant dropping 1.10 just yet.
> What do others think about dropping support for older Botan versions?

The only supported Linux/BSD distro I know of that is still shipping
1.8 is RHEL6/EPEL6. Everyone else is either 2.x or 1.10. 1.8 is good
and dead by now (there was a final patch roundup release in 2016 but
besides that the last release was in 2012).

Jack

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Monotone-devel] Patch to compile against Botan 2.x, Jack Lloyd <=
- Re: [Monotone-devel] Patch to compile against Botan 2.x, grarpamp, 2017/11/07
- Message not available
  - Re: [Monotone-devel] Patch to compile against Botan 2.x, Markus Wanner, 2017/11/08
    - Re: [Monotone-devel] Patch to compile against Botan 2.x, Markus Wanner, 2017/11/11
    - Re: [Monotone-devel] Patch to compile against Botan 2.x, Markus Wanner, 2017/11/12
    - Re: [Monotone-devel] Patch to compile against Botan 2.x, Markus Wanner, 2017/11/20
    - Re: [Monotone-devel] Patch to compile against Botan 2.x, Stephen Leake, 2017/11/20

Next by Date: Re: [Monotone-devel] Patch to compile against Botan 2.x
Next by thread: Re: [Monotone-devel] Patch to compile against Botan 2.x
Index(es):
- Date
- Thread