Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 567382

Summary: [Tracking] dev-libs/libgcrypt 1.5 branch removal from stable
Product: Gentoo Linux Reporter: Alon Bar-Lev (RETIRED) <alonbl>
Component: Current packagesAssignee: Crypto team [DISABLED] <crypto+disabled>
Status: RESOLVED FIXED    
Severity: normal CC: alonbl, grknight, idl0r, k_f, pacho, rossi.f, steffen.weber
Priority: Normal Keywords: Tracker
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=656372
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 567372, 567376, 567380, 585366    
Bug Blocks: 541564, 559942    

Description Alon Bar-Lev (RETIRED) gentoo-dev 2015-12-02 20:14:47 UTC
For some reason, I was under the impression that this has already been done.
Comment 1 Brian Evans (RETIRED) gentoo-dev 2015-12-03 19:32:34 UTC
You will also need libgcrypt:11/11 stable or see if dev-db/xtrabackup-bin can use the new libgcrypt in a version bump
Comment 2 Alon Bar-Lev (RETIRED) gentoo-dev 2015-12-03 19:37:33 UTC
(In reply to Brian Evans from comment #1)
> You will also need libgcrypt:11/11 stable or see if dev-db/xtrabackup-bin
> can use the new libgcrypt in a version bump

hmmm... I thought that -bin packages are not going to stable branch.
we cannot make this libgcrypt stable as it has security issues see bug#541564.
Comment 3 Brian Evans (RETIRED) gentoo-dev 2015-12-03 19:44:22 UTC
(In reply to Alon Bar-Lev from comment #2)
> (In reply to Brian Evans from comment #1)
> > You will also need libgcrypt:11/11 stable or see if dev-db/xtrabackup-bin
> > can use the new libgcrypt in a version bump
> 
> hmmm... I thought that -bin packages are not going to stable branch.
> we cannot make this libgcrypt stable as it has security issues see
> bug#541564.

@idl0r: Now we have an issue with xtrabackup-bin needing libgcrypt.so.11.  Even the latest 2.3.2 upstream still looks for it.
Comment 4 Fabio Rossi 2016-01-20 13:38:00 UTC
Also latest vmware-workstation-12.1.0.3272444 (not yet in portage) is shipped with libgcrypt.so.11 (however I have not tested yet with latest libgcrypt version).
Comment 5 Pacho Ramos gentoo-dev 2016-05-19 13:41:33 UTC
As a side note (as I see multiple reverse dep from closed source packages needing it), it seems that Debian people are still maintaining the old .11 version for that (it is also the version Arch people are relying to for trying to have the security bugs fixed)
https://tracker.debian.org/pkg/libgcrypt11
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-08-18 07:44:02 UTC
libgcrypt in branch 0/11 (stable 1.5) will be dropped soon, any application still requiring 1.5 will need to be changed to use 11/11 which means being dropped to ~arch as this slot will NOT be stabilized.

I'll bump 1.5.6 in 11/11 slot due to security bug, but this branch is not really still supported. Any application relying on 1.5 still should be fixed to use 1.7 (ABI and API compatible with 1.6
Comment 7 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-08-18 08:40:14 UTC
The necessary reverse dependencies have already been properly updated, so removal is now done

commit d266cee915c186a65e4ac94e9726744c37077cdf
Author: Kristian Fiskerstrand <k_f@gentoo.org>
Date:   Thu Aug 18 10:38:10 2016 +0200

    dev-libs/libgcrypt: Remove vulnerable 1.5.5 in 0/11 slot
    
    This is the final package version in 0/11 slot
    
    Gentoo-Bug: 567382
    Gentoo-Bug: 591534
    
    Package-Manager: portage-2.3.0
Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-08-18 16:16:26 UTC
Removed from stable, sufficient for this tracker for now, will rather re-open if we want to drop testing support at a later stage