[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Official snapshot with Botan 2

From: Michael Raskin
Subject: Re: Official snapshot with Botan 2
Date: Wed, 21 Jul 2021 08:20:20 +0200

>On 2021-05-08 13:22, Michael Raskin wrote:
>>                  Hello
>>          I am trying to maintain a Monotone package in Nixpkgs. Currently
>> the Botan 1 version needed to build the latest Monotone release seems to
>> get a bunch of vulnerabilities reported (and so is marked insecure in
>> Nixpkgs). I have used net.venge.monotone.lapo.botan2 branch and the PCRE
>> 8.42 patch by Petr Písař to build Monotone with fresher versions and
>> indeed it works fine, syncs with 1.1 releases etc. However, right now
>> the only way I can grab it is via Monotone netsync, which is not good
>> for a Monotone package in a distribution package repository.
>If a bit of testing effort can be put together I think we better create 
>a proper new release with those patches included, as when I fixed botan2 
>patch in April I just didn't have enough time to ensure it was working 
>for everyone (I only checked it was working "enough for me").

Thank you again!

I can definitely confirm it words well enough for me, which includes 
sync with an older installation (and normal use, although I happen to do
merges inside the same branch and haven't done a propagate recently).

I guess the question is how we reach everyone (left)? Then, whether the
functional test coverage is complete enough, and maybe do we want to 
have some amount of installed-tests (given a checklist, I could write
those over time as a script, and maybe store nearby the Nix expression
so that they can be used in Nixpkgs CI, too)

>Basically, I don't have time to be a proper maintainer, but if patches 
>are created and tested together… I think I can take time to create new 
>releases from time to time.

Proper as in «lead hash function migration»? Because otherwise, it feels
like a maintenance-mode where no new features are ever expected but 
patches forced by outside changes are eventually accepted and released
_is_ what I would call maintenance.

>Last releases were cut by Markus but with some reading docs I could do 
>it given enough time, I think.
>(I am the maintainer of the server that host's the website too, so 
>accesses are not a problem)
>Lapo Luchini

reply via email to

[Prev in Thread] Current Thread [Next in Thread]