Latest upstream release: 0.058 Current version/release in rawhide: 0.053-1.fc28 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/11620/
This CryptX > 0.53 requires features that are not yet available in libtomcrypt-1.18.1. I'm porting fixes from CryptX-0.058 to perl-CryptX-0.053-2.fc[29-27].
Latest upstream release: 0.059 Current version/release in rawhide: 0.053-3.fc29 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/11620/
0.059 only enhanced ECC support and fixed building with perl 5.8.1. Nothing interesting for Fedora's stripped package. Upgrade postponed to newer libtomcrypt.
Latest upstream release: 0.060 Current version/release in rawhide: 0.053-3.fc29 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/11620/
0.060 rebased bundled libtomcrypt, adapted CryptX to it, removed buggy test that started to fail with recent Math::BigInt, and fixed Fortuna PRNG in bundled libtomcrypt. The only interesting change is the Math::BigInt fix that I will port to Fedora. CryptX upgrade postponed to newer libtomcrypt.
Latest upstream release: 0.061 Current version/release in rawhide: 0.053-4.fc29 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/11620/
0.60..0.61 only updates bundled libraries and adapts Perl code to them. Nothing for backport to Fedora. CryptX upgrade postponed to newer libtomcrypt.
libtomcrypt-1.18.2 available in Fedora now is a pure bug-fix release, no new features.
0.061..0.063 adapts tests to recent Math-BigInt and libtomcrypt (back ported). It also updates bundled libraries and provides Perl interface for their new features. CryptX upgrade postponed to a newer libtomcrypt.
Latest upstream release: 0.064 Current version/release in rawhide: 0.053-9.fc31 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/11620/
0.063..0.064 upgrades bundled libtomcrypt and libtommath and ppport.h. It also silents some compiler warnings and adapts XS code to the new libtommath. Fedora is still at libtomcrypt-1.18.2. CryptX upgrade postponed to a newer libtomcrypt.
Latest upstream release: 0.065 Current version/release in rawhide: 0.053-11.fc31 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/11620/
Latest upstream release: 0.066 Current version/release in rawhide: 0.053-11.fc31 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/11620/
Latest upstream release: 0.067 Current version/release in rawhide: 0.053-12.fc32 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/11620/
0.064..0.065 - updates bundled libtomcrypt. Irrelevant. - adds and reverts support for ISO-10126 padding. Irrelevant. - fixes for Math::BigInt 1.999817. I applied it in perl-CryptX-0.053-12. 0.065..0.066 - updates libtomcrypt. Irrelevant. 0.066..0.067 - adds support for Ed25519 and X25519 curves. Irrelevant since Fedora libtomcrypt-1.18.2-6.fc32 does not support ECC. CryptX upgrade postponed to a newer libtomcrypt.
Latest upstream release: 0.068 Current version/release in rawhide: 0.053-13.fc32 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/11620/
0.067..0.068 changes tests to pass on macOS Perl 5.18. Not important for Fedora. The latest Fedora libtomcrypt-1.18.2-6.fc32 does not support ECC. CryptX upgrade postponed to a newer libtomcrypt.
Latest upstream release: 0.069 Current version/release in rawhide: 0.053-13.fc32 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/11620/
0.068..0.069 changes fixes a crash in ECC code that we do not deliver. Not important for Fodora. The latest Fedora libtomcrypt-1.18.2-10.fc34 does not support ECC. CryptX upgrade postponed to a newer libtomcrypt.
Latest upstream release: 0.070 Current version/release in rawhide: 0.053-18.fc34 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/11620/
0.069..0.070 changes CFLAGS (disable LTO) and rebases libtomcrypt. Not important for Fedora. The latest Fedora libtomcrypt-1.18.2-10.fc34 does not support ECC. CryptX upgrade postponed to a newer libtomcrypt.
Latest upstream release: 0.071 Current version/release in rawhide: 0.053-18.fc34 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/11620/
0.070..0.071 fixes PEM decoding (suitable for backporting) and dist tar permissions (not important for Fedora). The latest Fedora libtomcrypt-1.18.2-10.fc34 does not support ECC. CryptX upgrade postponed to a newer libtomcrypt. I will apply the fix for PEM decoding.
Applied to perl-CryptX-0.053-18.fc33.
Latest upstream release: 0.072 Current version/release in rawhide: 0.053-19.fc35 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/11620/
0.071..0.072 fixes RSA PKCS#1 signature verification (suitable for backporting) and rebases libtomcrypt (irrelevant). The latest Fedora libtomcrypt-1.18.2-12.fc35 does not support ECC. CryptX upgrade postponed to a newer libtomcrypt.
The verification patch has two parts: Tests for CryptX and fix in libtomcrypt. I can apply the tests here, but fix have to go into libtomcrypt package.
The libtomcrypt fix is not straightforward for backporting. Forwarding to libtomcrypt as a bug #1955164.
I will omit backporting the test to Fedora's perl-CryptX.
Latest upstream release: 0.073 Current version/release in rawhide: 0.053-20.fc35 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/11620/
0.072..0.073 replaces various JSON:: dependencies with plain JSON, removes disabling LTO, and works around a Math::BigInt 1.99982 issue. Math::BigInt was already fixed in perl-Math-BigInt. I will try applying the LTO support. Fedora still delivers libtomcrypt without ECC.
Applied to perl-CryptX-0.053-21.fc35.
For your information, libtommath package, a dependency of perl-CryptX, has been orphaned in Fedora.
Latest upstream release: 0.074 Current version/release in rawhide: 0.053-23.fc36 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/11620/
libtommath is owned now by mrc0mmand. v0.073..v0.074 adapts tests and Math::BigInt::LTM to new Math::BigInt 1.999827. Fedora has already applied the patches in perl-CryptX-0.053-23. Fedora's latest libtomcrypt is still 1.18.2 without ECC.
I would like to ask for updating to CryptX-0.074. My use case is FHEM (a GPL'd perl server for house automation, see https://fhem.de). It needs Crypt::Mode::CBC with zero padding (padding mode 4). See line 1240 of file fhem/FHEM/70_VIERA.pm: > # Initialize AES > my $cbc = Crypt::Mode::CBC->new("AES", 4); This seems to be unsupported in Fedora's 0.053. 0.074 works fine fine when installed via cpan.
There won't be any CryptX upgrade until libtomcrypt contains changes CryptX upstream develops privately, or someone packages and start maintaining CryptX's private fork of libtomcrypt separately. The padding mode #4 of Crypt::Mode::CBC was added into CryptX with commit 2fa3734a2906a808897a24ee2c36be29c12338e1 and it depends on new padding_depad() and padding_pad() functions which are still missing from the latest libtomcrypt-1.18.2-13.fc35 we have in Fedora. There is no way of backporting this feature into perl-CryptX without having the functions first in libtomcrypt.
Hello Petr, thanks for explaining the current situation, I did not expect it to be so complex. Does it mean the version of CryptX that I installed with cpan must have come with its own private libtomcrypt? Do you know how other Linux distributions handle this? Do they use libtomcrypts debug branch?
(In reply to Jens Rosenboom from comment #38) > Does it mean the version of CryptX that I installed with cpan must have come > with its own private libtomcrypt? > Yes. It comes with its own private libtomcrypt. > Do you know how other Linux distributions handle this? Do they use > libtomcrypts debug branch? Now I looked at Debian and Gentoo and they both keep using the private library.
Latest upstream release: 0.075 Current version/release in rawhide: 0.053-23.fc36 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/11620/
Latest upstream release: 0.076 Current version/release in rawhide: 0.053-23.fc36 URL: http://search.cpan.org/dist/CryptX/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/11620/
v0.074..v0.075 rebases bundled libtomcrypt (still from a develop branch). Fedora used unbundled library. v0.075..v0.076 stops exporting symbols of the bundled libraries, prefixes internal functions and makes them static, updates documentation. I will try porting the function renames and the documentation.
Actually the documentation update should not be applied because it covers changes in a code we have never ported. Remaining patches applied to perl-CryptX-0.053-24.fc36.
Hi Petr, I've been poking at libtomcrypt upstream regularly for a long time, and there is definitely no sign of a release any time soon. With the latest libtomcrypt release dating back from July 2018, would it make sense to ask FPC for a bundling exception ? If that is still actually needed, it seems the no-bundling rules have been severely relaxed ? [1]. I definitely understand this is not ideal, and I strongly support the no-bundling rule, but in this very case, the un-bundling regresses CryptX capabilities. This would eventually allow to get ECC support in CryptX, which is certainly a huge pain point for at least some projects I'm working with. The lack of ECC support blocked a review request for perl-Authen-U2F and is still blocking it more than 3 years later [2]. This will now likely be blocking for a new perl-Authen-WebAuthn package [3]. To somewhat support the request, I would mention that Debian to my knowledge also has no-bundling rules (which are likely stronger than what they are in Fedora today), but they do ship CryptX with the bundled libtomcrypt, as mentioned in [3]. Regards, Xavier [1] https://docs.fedoraproject.org/en-US/packaging-guidelines/#bundling [2] https://bugzilla.redhat.com/show_bug.cgi?id=1654664 [3] https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1411
Frankly, I don't have enough time for maintaining libtomcrypt, neither bundled, or unbundled. If you are willing to maintain it, I will give you perl-CryptX in Fedora and you will be able to rebase it while keeping bundled libtomcrypt there.
Hi Petr, Here's some initial work to update perl-CryptX to latest upstream version and use both bundled libtomcrypt and libtommath: https://src.fedoraproject.org/fork/xavierb/rpms/perl-CryptX/diff/rawhide..use_bundled_ltc_ltm I have tried to use bundled libtomcrypt while keeping system libtommath, it builds fine but the test suite gets confused by the mixed static/dynamic build. I would be grateful if you could take a look as I'm not comfortable with this package yet and you likely have accumulated much more insight over the years, before I submit a proper PR and/or request rights on the package. Thanks and regards, Xavier
That looks good. Removing all the patches makes senses because they were copied from the upstream. For versions of the bundled() symbols I would rather use an upstream commit ID. You can find them in Changes of CryptX tarball. E.g. 0.75 lists "libtomcrypt update branch:develop (commit:673f5ce2 2021-06-04)", hence I would use "bundled(libtomcrypt) = 1.8.2^0.git673f5ce2" as recommended in <https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_snapshots>. That way a security team will immediately see that its a git snapshot at commit 673f5ce2 which happened after 1.8.2 release. I think you can replace a dependency on "perl(Cpanel::JSON::XS)" with "perl(JSON)". It's again a fully optional run-time dependency. You don't need to put it to optional test dependencies. Also please update a comment above License tag. The libraries became bundled. And check the bundled libraries for new licenses. You would also need to list them in the License tag and add the tag to -tests subpackage without them. Please take these recommendations with a gain of salt. I didn't study the new sources thoroughly. Thanks for taking care of perl-CryptX. I will make you an owner of the package.
Thanks for the advises. I've updated my fork with the suggested changes. One more question, is it both allowed and safe to push an update to perl-CryptX 0.076 to Fedora/EPEL releases which are currently shipping with perl-CryptX 0.053 ? EPEL 7 and 8 don't have it yet, so no problem, however Fedora 34 and 35 do have it, as well as EPEL 9.
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Pushing new versions to old Fedora releases is allowed if it preserves an interface, if the new version is compatible. I haven't studied the new code, so I can't tell. Pushing breaking changes into EPEL is actually allowed, but only around the time when RHEL does a minor release.
I know the rules, sorry for not expressing myself properly. I was after some changes that might be against these rules. I did not catch anything obvious, but to be on the safe side, I'll push the 0.076 only to Fedora 36+ and EPEL. I'll leave Fedora 34 and 35 alone and as CryptX was just released to EPEL 9, an update won't break much. Thanks again for the help and patience, Petr !
FEDORA-2022-e48553a980 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-e48553a980
FEDORA-2022-e48553a980 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.