[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bug#820816: stop using gnulib
|
From: |
Simon Josefsson |
|
Subject: |
Bug#820816: stop using gnulib |
|
Date: |
Wed, 20 Jul 2016 18:54:47 +0200 |
|
User-agent: |
Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux) |
Antoine Beaupré <address@hidden> writes:
> Source: libidn
> Severity: normal
>
> the use of gnulib in this package makes it significantly harder to
> backport security patches around the different Debian suites. I have
> spent a long time trying to figure out how to update the gnulib source
> code in libidn for CVE-2015-2059, for example. it was pretty painful!
Hello. I am sorry to hear that.
> using an external library like libunistring would be much better. i
> understand that gnulib is necessary to port to certain environments
> for the GNU system, but this here is Debian, we can certainly do
> better!
>
> this would also be in accordance with §4.13:
>
> https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles
There are two answers to this.
1) I recall Debian has granted an exception for gnulib. Gnulib is used
in many core packages such as GNU coreutils, inetutils, tar, awk, etc.
2) Using libunistring does not work for libidn I'm afraid. The IDNA
specifications are written to require Unicode 3.2.0. IDNA is hard coded
to that Unicode version. Using modern Unicode libraries will make the
library return incorrect data, since the Unicode algorithms have changed
in backwards incompatible ways since 3.2.0.
I hope this clarifies. I'm not sure there is anything more we can do,
unless you point to more concrete issues that can be patched.
Thanks,
/Simon
signature.asc
Description: PGP signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Bug#820816: stop using gnulib,
Simon Josefsson <=