[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug#820816: stop using gnulib

From: Simon Josefsson
Subject: Bug#820816: stop using gnulib
Date: Wed, 20 Jul 2016 18:54:47 +0200
User-agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)

Antoine Beaupré <address@hidden> writes:

> Source: libidn
> Severity: normal
> the use of gnulib in this package makes it significantly harder to
> backport security patches around the different Debian suites. I have
> spent a long time trying to figure out how to update the gnulib source
> code in libidn for CVE-2015-2059, for example. it was pretty painful!

Hello.  I am sorry to hear that.

> using an external library like libunistring would be much better. i
> understand that gnulib is necessary to port to certain environments
> for the GNU system, but this here is Debian, we can certainly do
> better!
> this would also be in accordance with §4.13:

There are two answers to this.

1) I recall Debian has granted an exception for gnulib.  Gnulib is used
in many core packages such as GNU coreutils, inetutils, tar, awk, etc.

2) Using libunistring does not work for libidn I'm afraid.  The IDNA
specifications are written to require Unicode 3.2.0.  IDNA is hard coded
to that Unicode version.  Using modern Unicode libraries will make the
library return incorrect data, since the Unicode algorithms have changed
in backwards incompatible ways since 3.2.0.

I hope this clarifies.  I'm not sure there is anything more we can do,
unless you point to more concrete issues that can be patched.


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]