Bug 726886
| Summary: | gnutls-2.12.23 is available | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Upstream Release Monitoring <upstream-release-monitoring> |
| Component: | gnutls | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | rawhide | CC: | awilliam, bugsgentoo, danw, dwmw2, erik-fedora, jorton, kalevlember, renich, robatino, samuel-rhbugs, tmraz |
| Target Milestone: | --- | Keywords: | FutureFeature, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | RejectedBlocker | ||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-05-07 06:47:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 837331 | ||
| Bug Blocks: | 182235 | ||
|
Description
Upstream Release Monitoring
2011-07-30 10:16:06 UTC
This will not be an easy update as: 1. it is ABI incompatible -> requires rebuilds of dependencies 2. it does not use libgcrypt as a crypto backend anymore - impacts the proliferation of crypto libraries in the distribution. Latest upstream release: 3.0.1 Current version in Fedora Rawhide: 2.12.8 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.0.2 Current version in Fedora Rawhide: 2.12.9 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.0.3 Current version in Fedora Rawhide: 2.12.9 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.0.4 Current version in Fedora Rawhide: 2.12.11 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring *** Bug 747396 has been marked as a duplicate of this bug. *** Latest upstream release: 3.0.5 Current version in Fedora Rawhide: 2.12.11 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.0.7 Current version in Fedora Rawhide: 2.12.12 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.0.8 Current version in Fedora Rawhide: 2.12.14 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring (In reply to comment #1) > This will not be an easy update as: > 1. it is ABI incompatible -> requires rebuilds of dependencies > 2. it does not use libgcrypt as a crypto backend anymore - impacts the > proliferation of crypto libraries in the distribution. API changes/compatibility test results for the GnuTLS library http://upstream-tracker.org/versions/gnutls.html Latest upstream release: 3.0.9 Current version in Fedora Rawhide: 2.12.14 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.0.11 Current version in Fedora Rawhide: 2.12.14 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.0.12 Current version in Fedora Rawhide: 2.12.14 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.0.13 Current version in Fedora Rawhide: 2.12.14 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.0.14 Current version in Fedora Rawhide: 2.12.14 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.0.15 Current version in Fedora Rawhide: 2.12.17 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.0.17 Current version in Fedora Rawhide: 2.12.17 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.0.18 Current version in Fedora Rawhide: 2.12.18 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.0.19 Current version in Fedora Rawhide: 2.12.18 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.0.20 Current version in Fedora Rawhide: 2.12.19 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Eep, Fedora 17 shipped and is *still* stuck on GnuTLS 2.12. I've ported the OpenConnect VPN client to GnuTLS to solve KDE licensing issues with OpenSSL, and it requires DTLS support... I understand why it was non-trivial to update in an existing release, but we really ought to have worked it out by now, surely? Has the feedback in comment #1 been given to the GnuTLS maintainers, and has anything been done to attempt to resolve the issue? Version 2.12.20 (released 2012-06-10) ** libgnutls: Fixed memory leak in PKCS #8 key import. ** libgnutls: Check key identifiers when checking for an issuer. ** API and ABI modifications: No changes since last version. With GnuTLS we can't even I'm sorry David, but I do not plan to update to 3.0.20 any time soon. Definitely not earlier than after F18 branching. The problem with 3.0.20 is drop of libgcrypt backend and basically unconditional inclusion of Eliptic Curve support which we cannot ship due to ECC being patent minefield. GnuTLS 3.0 has been out for almost a year now. Can you point me to any discussion that has been had with the upstream maintainers about these issues? I note that in duplicate bug #747396, last October, the response was 'not before F17'. Now the response, even this early in the cycle, is 'not before F18'. If we check back in another 6 months, will it have changed to 'not before F19'? I asked the maintainer about this, and received the following response:
> I think their policy on elliptic curves is outdated. IETF has
> published the ecc fundamental parts that are not known to be covered
> by patents in [0] and these are the parts we use in gnutls. In any
> case it is their policy. It is doable though to isolate the elliptic
> curves parts but it is not trivial work and I have no plans to do it
> unless there is a real reason.
>
> regards,
> Nikos
>
> [0]. http://www.rfc-editor.org/rfc/rfc6090.txt
Has this been referred to the legal team for an opinion?
For now I've managed to work around most of the limitations of GnuTLS 2.12, and even enable PKCS#11 and TPM support in the OpenConnect VPN client in Fedora. It's not pretty, but it builds and is *almost* fully functional. The one thing that's still broken with our ancient version of GnuTLS is filed as bug 832729. Because the get_issuer() function returns incorrect results, we sometimes fail to authenticate against the server. Valgrind also shows some memory leaks which don't exist with GnuTLS 3.0. There's an updated specfile for nettle 2.4 at http://david.woodhou.se/nettle.spec which I'm now using for my local OpenConnect builds with GnuTLS 3.0 And a gnutls specfile based on the current Fedora master at 2.12.19-1 (commit a201b9b4): http://david.woodhou.se/gnutls.spec I didn't bother to rip out SRP; it really does look like the noise about SRP patents was just FUD, and it doesn't seem to have been repeated in the last few years. If we were going to rip stuff out based on such dubious rumours of patents, then we should take Ogg out too because of the nonsense the MPEG-LA are spouting about it infringing MP3 patents. Latest upstream release: 3.0.21 Current version in Fedora Rawhide: 2.12.20 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring (In reply to comment #26) > I asked the maintainer about this, and received the following response: > > > I think their policy on elliptic curves is outdated. IETF has > > published the ecc fundamental parts that are not known to be covered > > by patents in [0] and these are the parts we use in gnutls. In any > > case it is their policy. It is doable though to isolate the elliptic > > curves parts but it is not trivial work and I have no plans to do it > > unless there is a real reason. > > > > regards, > > Nikos > > > > [0]. http://www.rfc-editor.org/rfc/rfc6090.txt > > Has this been referred to the legal team for an opinion? I've just had another look at RFC6090. It seems to have been published with the *express* intention of documenting the fundamental parts of ECC, using normative references published no later than 1994 (i.e. which cannot possibly be covered by non-expired patents). It even goes so far as to define MAY/SHOULD/MUST/etc. for itself rather than referring to RFC2119 for their definitions, because RFC2119 was published after 1994 ☺ The concern about patents on elliptic curve cryptography, at least as implemented in GnuTLS, definitely seems to be unfounded. Tomas, I'm happy to comaintain this package and push a v3 update for Fedora 18 if you are willing. http://david.woodhou.se/gnutls.spec updated to 3.0.21. Scratch build (now that nettle is back in the distro) at http://koji.fedoraproject.org/koji/taskinfo?taskID=4222205 I am sorry, but I really do not want this update before Fedora 18 release. And the inclusion of the ECC code in Fedora must be acked by Fedora legal. Even the scratch build is not OK in this regard. It might make sense to create parallel installable gnutls 3 / gnutls 2 packages to avoid requiring a rebuild of all the gnutls packages. Though this could lead to hard-to-diagnose problems when both gnutls 3 and gnutls 2 somehow get pulled into the same process. However, there's still the issue with ECC code requiring Fedora Legal approval. Discussed at the blocker bug review meeting of 2012-08-03: http://meetbot.fedoraproject.org/fedora-bugzappers/2012-08-03/f18-alpha-blocker-review-1.2012-08-03-17.01.log.html . Rejected as a blocker on the grounds that it does not appear to violate any release criteria, this is merely an engineering/packaging issue. Just because you _want_ something to be sorted out by a given deadline doesn't mean it _must_ be sorted out by that point. We don't violate any of our Alpha criteria by shipping Alpha with an older gnutls. Please re-propose if there are genuine grounds for this blocking Alpha release that we missed, with reference to the criteria: https://fedoraproject.org/wiki/Fedora_18_Alpha_Release_Criteria Latest upstream release: 3.0.22 Current version in Fedora Rawhide: 2.12.20 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.1.0 Current version in Fedora Rawhide: 2.12.20 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.1.1 Current version in Fedora Rawhide: 2.12.20 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.1.2 Current version in Fedora Rawhide: 2.12.20 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.1.3 Current version in Fedora Rawhide: 2.12.20 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.1.4 Current version in Fedora Rawhide: 2.12.21 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Latest upstream release: 3.1.5 Current version in Fedora Rawhide: 2.12.21 URL: http://ftp.gnu.org/gnu/gnutls/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring ping! Fedora 19 is open. gnutls 2.12 is being end-of-lifed, so soon there won't be any more security fixes to it... http://lists.gnupg.org/pipermail/gnutls-devel/2013-February/006086.html I'm currently working on gnutls-3.1 for Fedora 19. I hope to complete it before the mass rebuild. Latest upstream release: 2.12.23 Current version in Fedora Rawhide: 2.12.22 URL: ftp://ftp.gnutls.org/gcrypt/gnutls/v2.12/ Version 2.12.23 (released 2012-02-04) ** libgnutls: Eliminated memory leak in PCKS #11 initialization. Report and fix by Sam Varshavchik. ** libgnutls: Fixes in record padding parsing to prevent a timing attack. Issue reported by Kenny Patterson and Nadhem Alfardan. ** libgnutls: DN variable 'T' was expanded to 'title'. ** API and ABI modifications: No changes since last version. Latest upstream release: 2.12.23 Current version in Fedora Rawhide: 2.12.22 URL: ftp://ftp.gnutls.org/gcrypt/gnutls/v2.12/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Rawhide now contains 3.1.10. |