Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 538488 - =dev-libs/libgcrypt-1.6.3-r4 stable request
Summary: =dev-libs/libgcrypt-1.6.3-r4 stable request
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Keywording and Stabilization (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Crypto team [DISABLED]
URL:
Whiteboard:
Keywords: STABLEREQ
Depends on: 494638 533270 559132 559754
Blocks: CVE-2014-3591 gnupg-2.1, gnupg-2.2
  Show dependency tree
 
Reported: 2015-02-02 00:25 UTC by Matthew Thode ( prometheanfire )
Modified: 2015-11-30 20:35 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-02-02 00:25:11 UTC
Can't find any bugs open for it and it's been out for well over long enough I feel.

Here are the arches as a note.
alpha amd64 arm arm64 hppa ia64 m68k s390 sh sparc x86

The deps stayed the same between 1.5.4 and 1.6.2, so at least don't need to check keywords there :D

As a note for the eventual removal of 1.5.4, only two packages I can see need it.
sys-fs/ntfs3g-2013.1.13      (the 2014 versions don't have a problem with it, but would need stablization)
sys-power/suspend-0.8-r1
sys-power/suspend-1.0

Reproducible: Always
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-02-02 00:26:19 UTC
please CC arches if you agree :D
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2015-02-02 15:52:07 UTC
I would be fine with dev-libs/libgcrypt-1.6.2. What do you say Alon?
Comment 3 Alon Bar-Lev gentoo-dev 2015-02-02 15:56:31 UTC
(In reply to Kristian Fiskerstrand from comment #2)
> I would be fine with dev-libs/libgcrypt-1.6.2. What do you say Alon?

yes, I do not expect smooth transfer... please do this only when you have time to handle the side effects...
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2015-02-27 21:30:02 UTC
Note that 1.6.3 was just released with security fixes for two side channel attacks.
Comment 5 Matt Turner gentoo-dev 2015-05-21 04:39:39 UTC
I just built this as part of keywording bug 546478 on alpha. Are we ready to stabilize?
Comment 6 Anthony Basile gentoo-dev 2015-08-29 19:42:30 UTC
(In reply to Matt Turner from comment #5)
> I just built this as part of keywording bug 546478 on alpha. Are we ready to
> stabilize?

I'm going to proceed to do stabilize ppc and ppc64 first, with full rev dep testing.  Then arm and then I'll do amd64 and x86.  I was not able to hit bug #528514 but when I get to x86, we'll see.


KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 7 Anthony Basile gentoo-dev 2015-09-05 13:45:42 UTC
stable for ppc and ppc64.
Comment 8 Agostino Sarubbo gentoo-dev 2015-09-05 14:58:29 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-09-05 14:59:28 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-09-05 14:59:56 UTC
(In reply to Anthony Basile from comment #6)
> (In reply to Matt Turner from comment #5)
> > I just built this as part of keywording bug 546478 on alpha. Are we ready to
> > stabilize?
> 
> I'm going to proceed to do stabilize ppc and ppc64 first, with full rev dep
> testing.  Then arm and then I'll do amd64 and x86.  I was not able to hit
> bug #528514 but when I get to x86, we'll see.

I don't consider 528514 a blocker because it was reproduced with the actual stable libgcrypt.
Comment 11 Jeroen Roovers gentoo-dev 2015-09-08 04:27:18 UTC
Stable for HPPA.
Comment 12 Tobias Klausmann gentoo-dev 2015-09-15 09:26:03 UTC
Stable on alpha.
Comment 13 Manfred Knick 2015-10-11 11:15:36 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #0)

> As a note for the eventual removal of 1.5.4, 
> only two packages I can see
> need it.

At the moment,  

[vmware overlay] app-emulation/vmware-workstation-11.1.2.2780323-r3.ebuild

also depends upon

   dev-libs/libgcrypt-1.5.4-r100:11/11 .

Thanks.
Comment 14 Andreas K. Hüttel gentoo-dev 2015-10-11 11:57:55 UTC
(In reply to Manfred Knick from comment #13)
>
> [vmware overlay] app-emulation/vmware-workstation-11.1.2.2780323-r3.ebuild 
> also depends upon
>    dev-libs/libgcrypt-1.5.4-r100:11/11 .

Well this popped up because I'm unbundling the libraries there (will go into the main tree sometime soon).

Either I undo that, or we need the binary-only slot 11 to stick around.

(Preferably stabilized at the same time as 1.6, since otherwise Portage silently prevents the libgcrypt upgrade for vmware users on stable systems.)
Comment 15 Alon Bar-Lev gentoo-dev 2015-10-11 12:04:59 UTC
(In reply to Andreas K. Hüttel from comment #14)
> (Preferably stabilized at the same time as 1.6, since otherwise Portage
> silently prevents the libgcrypt upgrade for vmware users on stable systems.)

1.6 is already stable in most archs, and vmware-workstation is none stable anyway. we keep the r100 only for vmware.
Comment 16 Kristian Fiskerstrand gentoo-dev Security 2015-10-11 12:19:24 UTC
(In reply to Alon Bar-Lev from comment #15)
> (In reply to Andreas K. Hüttel from comment #14)
> > (Preferably stabilized at the same time as 1.6, since otherwise Portage
> > silently prevents the libgcrypt upgrade for vmware users on stable systems.)
> 
> 1.6 is already stable in most archs, and vmware-workstation is none stable
> anyway. we keep the r100 only for vmware.

I see no issue doing that for now, but 1.5 is no longer maintained upstream and is already missing fixes for at least three known security matters, c.f. bug 541564 and bug 559942. The severity of these doesn't merit dropping support for 1.5 at this point, but it certainly would be discouraged and future issues are likely not to be backported.
Comment 17 Kristian Fiskerstrand gentoo-dev Security 2015-10-11 12:20:36 UTC
(In reply to Kristian Fiskerstrand from comment #16)
> (In reply to Alon Bar-Lev from comment #15)
> > (In reply to Andreas K. Hüttel from comment #14)
> > > (Preferably stabilized at the same time as 1.6, since otherwise Portage
> > > silently prevents the libgcrypt upgrade for vmware users on stable systems.)
> > 
> > 1.6 is already stable in most archs, and vmware-workstation is none stable
> > anyway. we keep the r100 only for vmware.
> 
> I see no issue doing that for now, but 1.5 is no longer maintained upstream
> and is already missing fixes for at least three known security matters, c.f.
> bug 541564 and bug 559942. The severity of these doesn't merit dropping
> support for 1.5 at this point, but it certainly would be discouraged and
> future issues are likely not to be backported.

Granted; the issue here is the same if a bundled version is used, it is just less transparent in that case.
Comment 18 Andreas K. Hüttel gentoo-dev 2015-10-11 17:25:18 UTC
(In reply to Alon Bar-Lev from comment #15)
> (In reply to Andreas K. Hüttel from comment #14)
> > (Preferably stabilized at the same time as 1.6, since otherwise Portage
> > silently prevents the libgcrypt upgrade for vmware users on stable systems.)
> 
> 1.6 is already stable in most archs, and vmware-workstation is none stable
> anyway. we keep the r100 only for vmware.

Which already means that (without manual keywording of the r100) the vmware users just dont upgrade to 1.6 (the upgrade is silently dropped by emerge). Probably I should add some has_version to the vmware ebuilds so people are warned about this.
Comment 19 Alon Bar-Lev gentoo-dev 2015-10-11 17:31:46 UTC
(In reply to Andreas K. Hüttel from comment #18)
> (In reply to Alon Bar-Lev from comment #15)
> > (In reply to Andreas K. Hüttel from comment #14)
> > > (Preferably stabilized at the same time as 1.6, since otherwise Portage
> > > silently prevents the libgcrypt upgrade for vmware users on stable systems.)
> > 
> > 1.6 is already stable in most archs, and vmware-workstation is none stable
> > anyway. we keep the r100 only for vmware.
> 
> Which already means that (without manual keywording of the r100) the vmware
> users just dont upgrade to 1.6 (the upgrade is silently dropped by emerge).
> Probably I should add some has_version to the vmware ebuilds so people are
> warned about this.

I never been there, but as far as I know slot 0 will be updated to latest on that slot.
Comment 20 Kristian Fiskerstrand gentoo-dev Security 2015-10-11 18:38:33 UTC
(In reply to Alon Bar-Lev from comment #19)
> (In reply to Andreas K. Hüttel from comment #18)
> > (In reply to Alon Bar-Lev from comment #15)
> > > (In reply to Andreas K. Hüttel from comment #14)
> > > > (Preferably stabilized at the same time as 1.6, since otherwise Portage
> > > > silently prevents the libgcrypt upgrade for vmware users on stable systems.)
> > > 
> > > 1.6 is already stable in most archs, and vmware-workstation is none stable
> > > anyway. we keep the r100 only for vmware.
> > 
> > Which already means that (without manual keywording of the r100) the vmware
> > users just dont upgrade to 1.6 (the upgrade is silently dropped by emerge).
> > Probably I should add some has_version to the vmware ebuilds so people are
> > warned about this.
> 
> I never been there, but as far as I know slot 0 will be updated to latest on
> that slot.

Yup, it is under a separate slot so shouldn't cause any run-time issues as long as we dont run into a security vulnerability down the road that is non-trivial to backport.
Comment 21 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-10-16 07:59:20 UTC
sparc stable
Comment 22 Anthony Basile gentoo-dev 2015-11-04 21:22:52 UTC
The remaining arches are arm64, ia64, m68k s390 and sh.  But these are not stable arches.  Shall we close this bug?
Comment 23 Anthony Basile gentoo-dev 2015-11-04 21:24:01 UTC
(In reply to Anthony Basile from comment #22)
> The remaining arches are arm64, ia64, m68k s390 and sh.  But these are not
> stable arches.  Shall we close this bug?

I'm sorry, ia64 is not an unstable arch.
Comment 24 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-11-08 19:14:17 UTC
ia64 stable
Comment 25 Kristian Fiskerstrand gentoo-dev Security 2015-11-30 20:35:21 UTC
All stable (In reply to Mikle Kolyada from comment #24)
> ia64 stable

Thanks, all stable arches are then stabilized, closing this bug