Debian Bug report logs - #820816
stop using gnulib

Package: src:libidn; Maintainer for src:libidn is Debian Libidn Team <help-libidn@gnu.org>;

Reported by: Antoine Beaupré <anarcat@debian.org>

Date: Tue, 12 Apr 2016 17:51:02 UTC

Severity: normal

Done: Simon Josefsson <simon@josefsson.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Libidn Team <help-libidn@gnu.org>:
Bug#820816; Package src:libidn. (Tue, 12 Apr 2016 17:51:06 GMT) (full text, mbox, link).

Acknowledgement sent to Antoine Beaupré <anarcat@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Libidn Team <help-libidn@gnu.org>. (Tue, 12 Apr 2016 17:51:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: stop using gnulib
Date: Tue, 12 Apr 2016 13:45:21 -0400
Source: libidn
Severity: normal

the use of gnulib in this package makes it significantly harder to
backport security patches around the different Debian suites. I have
spent a long time trying to figure out how to update the gnulib source
code in libidn for CVE-2015-2059, for example. it was pretty painful!

using an external library like libunistring would be much better. i
understand that gnulib is necessary to port to certain environments
for the GNU system, but this here is Debian, we can certainly do
better!

this would also be in accordance with §4.13:

https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles

-- System Information:
Debian Release: 8.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (1, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Libidn Team <help-libidn@gnu.org>:
Bug#820816; Package src:libidn. (Wed, 20 Jul 2016 16:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Simon Josefsson <simon@josefsson.org>:
Extra info received and forwarded to list. Copy sent to Debian Libidn Team <help-libidn@gnu.org>. (Wed, 20 Jul 2016 16:57:03 GMT) (full text, mbox, link).

Message #10 received at 820816@bugs.debian.org (full text, mbox, reply):

From: Simon Josefsson <simon@josefsson.org>
To: Antoine Beaupré <anarcat@debian.org>
Cc: 820816@bugs.debian.org
Subject: Re: Bug#820816: stop using gnulib
Date: Wed, 20 Jul 2016 18:54:47 +0200
[Message part 1 (text/plain, inline)]
Antoine Beaupré <anarcat@debian.org> writes:

> Source: libidn
> Severity: normal
>
> the use of gnulib in this package makes it significantly harder to
> backport security patches around the different Debian suites. I have
> spent a long time trying to figure out how to update the gnulib source
> code in libidn for CVE-2015-2059, for example. it was pretty painful!

Hello.  I am sorry to hear that.

> using an external library like libunistring would be much better. i
> understand that gnulib is necessary to port to certain environments
> for the GNU system, but this here is Debian, we can certainly do
> better!
>
> this would also be in accordance with §4.13:
>
> https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles

There are two answers to this.

1) I recall Debian has granted an exception for gnulib.  Gnulib is used
in many core packages such as GNU coreutils, inetutils, tar, awk, etc.

2) Using libunistring does not work for libidn I'm afraid.  The IDNA
specifications are written to require Unicode 3.2.0.  IDNA is hard coded
to that Unicode version.  Using modern Unicode libraries will make the
library return incorrect data, since the Unicode algorithms have changed
in backwards incompatible ways since 3.2.0.

I hope this clarifies.  I'm not sure there is anything more we can do,
unless you point to more concrete issues that can be patched.

Thanks,
/Simon

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Libidn Team <help-libidn@gnu.org>:
Bug#820816; Package src:libidn. (Mon, 01 Aug 2016 17:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Antoine Beaupré <anarcat@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Libidn Team <help-libidn@gnu.org>. (Mon, 01 Aug 2016 17:15:03 GMT) (full text, mbox, link).

Message #15 received at 820816@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>
To: Simon Josefsson <simon@josefsson.org>
Cc: 820816@bugs.debian.org
Subject: Re: Bug#820816: stop using gnulib
Date: Mon, 01 Aug 2016 13:01:25 -0400
On 2016-07-20 12:54:47, Simon Josefsson wrote:
> 1) I recall Debian has granted an exception for gnulib.  Gnulib is used
> in many core packages such as GNU coreutils, inetutils, tar, awk, etc.

I can imagine. :)

> 2) Using libunistring does not work for libidn I'm afraid.  The IDNA
> specifications are written to require Unicode 3.2.0.  IDNA is hard coded
> to that Unicode version.  Using modern Unicode libraries will make the
> library return incorrect data, since the Unicode algorithms have changed
> in backwards incompatible ways since 3.2.0.
>
> I hope this clarifies.  I'm not sure there is anything more we can do,
> unless you point to more concrete issues that can be patched.

I was afraid of something like this. I don't see how this can be
fixed, indeed.

Thanks for looking into this, it was worth a try!

a/

-- 
Revolution is not accompanied by a handful of conspirators whispering
around a guttering candle in a deserted ruin. It requires countless
supplies, modern machinery, and modern weapons [...] and there must be
loyalty [...] and superlative staff organization.
                       -  Robert A. Heinlein

Reply sent to Simon Josefsson <simon@josefsson.org>:
You have taken responsibility. (Sun, 25 Sep 2016 17:09:14 GMT) (full text, mbox, link).

Notification sent to Antoine Beaupré <anarcat@debian.org>:
Bug acknowledged by developer. (Sun, 25 Sep 2016 17:09:14 GMT) (full text, mbox, link).

Message #20 received at 820816-done@bugs.debian.org (full text, mbox, reply):

From: Simon Josefsson <simon@josefsson.org>
To: 820816-done@bugs.debian.org
Subject: Re: Bug#820816: stop using gnulib
Date: Sun, 25 Sep 2016 19:05:53 +0200
[Message part 1 (text/plain, inline)]
I'm closing this as it appears there is nothing actionable to do here.
I'm happy to improve things if you have ideas, but I don't see any way
to improve the situation given the information we have in this report.

/Simon

[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 24 Oct 2016 07:25:57 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Nov 21 23:57:13 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.