GNU bug report logs -
#30448
Update librsync to 2.0.1
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Tue, 13 Feb 2018 19:02:01 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30448 in the body.
You can then email your comments to 30448 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#30448; Package
guix-patches.
(Tue, 13 Feb 2018 19:02:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Tue, 13 Feb 2018 19:02:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
librsync 2.0.1 is available at a new upstream URL:
https://github.com/librsync/librsync/releases
Patch attached.
This would also include the fix for CVE-2014-8242, which is about use of
a cryptographically broken hash function (truncated MD4), released in
librsync 1.0.0.
However, at least btar and rdiff-backup aren't compatible with this new
version of librsync (I'm still building deja-dup to test its
compatibility).
Additionally, I noticed that the built package doesn't keep any
references to bzip2 or zlib, which seems wrong to me.
Is anyone using one of the dependent packages interested in looking more
closely at this?
[0001-gnu-librsync-Update-to-2.0.1.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#30448; Package
guix-patches.
(Thu, 15 Feb 2018 14:28:04 GMT)
Full text and
rfc822 format available.
Message #8 received at 30448 <at> debbugs.gnu.org (full text, mbox):
Hello,
Leo Famulari <leo <at> famulari.name> skribis:
> Is anyone using one of the dependent packages interested in looking more
> closely at this?
I’m not using it, but at first sight the patch LGTM.
Thanks,
Ludo’.
Added tag(s) patch.
Request was from
Christopher Baines <mail <at> cbaines.net>
to
control <at> debbugs.gnu.org.
(Mon, 19 Mar 2018 08:01:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#30448; Package
guix-patches.
(Mon, 23 Apr 2018 12:59:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 30448 <at> debbugs.gnu.org (full text, mbox):
ludo <at> gnu.org (Ludovic Courtès) skribis:
> Leo Famulari <leo <at> famulari.name> skribis:
>
>> Is anyone using one of the dependent packages interested in looking more
>> closely at this?
>
> I’m not using it, but at first sight the patch LGTM.
Ping! :-)
Information forwarded
to
guix-patches <at> gnu.org:
bug#30448; Package
guix-patches.
(Tue, 24 Apr 2018 17:58:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 30448 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, Apr 23, 2018 at 02:58:17PM +0200, Ludovic Courtès wrote:
> ludo <at> gnu.org (Ludovic Courtès) skribis:
>
> > Leo Famulari <leo <at> famulari.name> skribis:
> >
> >> Is anyone using one of the dependent packages interested in looking more
> >> closely at this?
> >
> > I’m not using it, but at first sight the patch LGTM.
>
> Ping! :-)
My understanding is this update will break btar and rdiff-backup.
I suspect this will annoy some Guix users. Plus, I don't know if these
projects make an effort to detect MD4 collisions or not; perhaps they
are safe to use despite the broken librsync dependency.
We could add an old librsync package variant for those packages, but we
should add a note about the reliance on MD4.
I'll wait a few days for more feedback.
PS — this issue highlighted for me that the duplicity backup program
also depends on librsync with MD4. For recent versions of librsync,
duplicity forces librsync to fallback to MD4...
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#30448; Package
guix-patches.
(Tue, 24 Apr 2018 20:31:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 30448 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> skribis:
> PS — this issue highlighted for me that the duplicity backup program
> also depends on librsync with MD4. For recent versions of librsync,
> duplicity forces librsync to fallback to MD4...
Woow, it does sound like a problem. :-/
Thanks for the clarification,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#30448; Package
guix-patches.
(Wed, 25 Apr 2018 17:24:01 GMT)
Full text and
rfc822 format available.
Message #22 received at 30448 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, Apr 24, 2018 at 10:30:14PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo <at> famulari.name> skribis:
>
> > PS — this issue highlighted for me that the duplicity backup program
> > also depends on librsync with MD4. For recent versions of librsync,
> > duplicity forces librsync to fallback to MD4...
>
> Woow, it does sound like a problem. :-/
Yeah, it makes me wonder if duplicity is still maintained or not...
A few years ago there was some discussion of making duplicity compatible
with librsync's new BLAKE2 message digests, but I guess the work has
stalled.
Btw, the affected packages (btar, rdiff-backup, and duplicity) are the
only users of librsync in Guix. So I think there is no reason to
update librsync for now.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#30448; Package
guix-patches.
(Sat, 28 Apr 2018 16:49:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 30448 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello,
Leo Famulari <leo <at> famulari.name> writes:
[…]
> Yeah, it makes me wonder if duplicity is still maintained or not...
The upstream does maintain duplicity. Also I did a version update
0.7.12 -> 0.7.17 in our package recipe. I hope to send it to Guix
patches mailing list after testing it myself for some time.
[…]
Oleg.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Wed, 13 Feb 2019 00:01:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Wed, 13 Feb 2019 00:01:02 GMT)
Full text and
rfc822 format available.
Message #30 received at 30448-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Wed, Apr 25, 2018 at 01:23:33PM -0400, Leo Famulari wrote:
> Btw, the affected packages (btar, rdiff-backup, and duplicity) are the
> only users of librsync in Guix. So I think there is no reason to
> update librsync for now.
Closing this bug ticket...
[signature.asc (application/pgp-signature, inline)]
Did not alter fixed versions and reopened.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 13 Feb 2019 18:23:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#30448; Package
guix-patches.
(Wed, 13 Feb 2019 21:28:01 GMT)
Full text and
rfc822 format available.
Message #35 received at 30448 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/rsync.scm (librsync): Update to 2.0.2.
[source]: Update source URL.
[build-system]: Use cmake-build-system.
[inputs]: Add popt.
[arguments]: Remove field.
(librsync-0.9): New variable.
(btar, duplicity, rdiff-backup)[inputs]: Use librsync-0.9.
---
gnu/packages/backup.scm | 6 +++---
gnu/packages/rsync.scm | 40 ++++++++++++++++++++++++++++++----------
2 files changed, 33 insertions(+), 13 deletions(-)
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 970d0adb06..64a02a1b7e 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -95,7 +95,7 @@
`(("lockfile" ,python2-lockfile)
("urllib3" ,python2-urllib3)))
(inputs
- `(("librsync" ,librsync)
+ `(("librsync" ,librsync-0.9)
("lftp" ,lftp)
("gnupg" ,gnupg) ; gpg executable needed
("util-linux" ,util-linux) ; for setsid
@@ -362,7 +362,7 @@ list and implement the backup strategy.")
"0miklk4bqblpyzh1bni4x6lqn88fa8fjn15x1k1n8bxkx60nlymd"))))
(build-system gnu-build-system)
(inputs
- `(("librsync" ,librsync)))
+ `(("librsync" ,librsync-0.9)))
(arguments
`(#:make-flags `(,(string-append "PREFIX=" (assoc-ref %outputs "out"))
"CC=gcc")
@@ -395,7 +395,7 @@ errors.")
(build-system python-build-system)
(inputs
`(("python" ,python-2)
- ("librsync" ,librsync)))
+ ("librsync" ,librsync-0.9)))
(arguments
`(#:python ,python-2
#:tests? #f))
diff --git a/gnu/packages/rsync.scm b/gnu/packages/rsync.scm
index 4fed03523e..b20b841478 100644
--- a/gnu/packages/rsync.scm
+++ b/gnu/packages/rsync.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2016 Mark H Weaver <mhw <at> netris.org>
;;; Copyright © 2017 Efraim Flashner <efraim <at> flashner.co.il>
;;; Copyright © 2018 Tobias Geerinckx-Rice <me <at> tobias.gr>
+;;; Copyright © 2019 Leo Famulari <leo <at> famulari.name>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -21,12 +22,15 @@
(define-module (gnu packages rsync)
#:use-module (gnu packages)
- #:use-module (gnu packages perl)
#:use-module (gnu packages acl)
#:use-module (gnu packages base)
- #:use-module (guix licenses)
+ #:use-module (gnu packages compression)
+ #:use-module (gnu packages perl)
+ #:use-module (gnu packages popt)
+ #:use-module ((guix licenses) #:prefix license:)
#:use-module (guix packages)
#:use-module (guix download)
+ #:use-module (guix build-system cmake)
#:use-module (guix build-system gnu))
@@ -51,25 +55,26 @@ to/from another host over any remote shell, or to/from a remote rsync daemon.
Its delta-transfer algorithm reduces the amount of data sent over the network
by sending only the differences between the source files and the existing
files in the destination.")
- (license gpl3+)
+ (license license:gpl3+)
(home-page "http://rsync.samba.org/")))
(define-public librsync
(package
(name "librsync")
- (version "0.9.7")
+ (version "2.0.2")
(source (origin
(method url-fetch)
- (uri (string-append "mirror://sourceforge/librsync/librsync/"
- version "/librsync-" version ".tar.gz"))
+ (uri (string-append "https://github.com/librsync/librsync/archive/v"
+ version ".tar.gz"))
(sha256
(base32
- "1mj1pj99mgf1a59q9f2mxjli2fzxpnf55233pc1klxk2arhf8cv6"))))
- (build-system gnu-build-system)
+ "1waa581pcscc1rnvy06cj584k5dx0dc7jj79wsdj7xw4xqh9ayz6"))))
+ (build-system cmake-build-system)
+ (inputs
+ `(("popt" ,popt)))
(native-inputs
`(("which" ,which)
("perl" ,perl)))
- (arguments '(#:configure-flags '("--enable-shared")))
(home-page "http://librsync.sourceforge.net/")
(synopsis "Implementation of the rsync remote-delta algorithm")
(description
@@ -78,4 +83,19 @@ remote-delta algorithm. This algorithm allows efficient remote updates of a
file, without requiring the old and new versions to both be present at the
sending end. The library uses a \"streaming\" design similar to that of zlib
with the aim of allowing it to be embedded into many different applications.")
- (license lgpl2.1+)))
+ (license license:lgpl2.1+)))
+
+(define-public librsync-0.9
+ (package
+ (inherit librsync)
+ (version "0.9.7")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "mirror://sourceforge/librsync/librsync/"
+ version "/librsync-" version ".tar.gz"))
+ (sha256
+ (base32
+ "1mj1pj99mgf1a59q9f2mxjli2fzxpnf55233pc1klxk2arhf8cv6"))))
+ (build-system gnu-build-system)
+ (arguments '(#:configure-flags '("--enable-shared")))
+ (inputs '())))
--
2.20.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#30448; Package
guix-patches.
(Wed, 13 Feb 2019 21:31:02 GMT)
Full text and
rfc822 format available.
Message #38 received at 30448 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Wed, Apr 25, 2018 at 01:23:33PM -0400, Leo Famulari wrote:
> Btw, the affected packages (btar, rdiff-backup, and duplicity) are the
> only users of librsync in Guix. So I think there is no reason to
> update librsync for now.
Since a new librsync user, burp, has been added to Guix, I've submitted
an updated revision of this patch.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Mon, 25 Feb 2019 23:25:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Mon, 25 Feb 2019 23:25:02 GMT)
Full text and
rfc822 format available.
Message #43 received at 30448-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Wed, Feb 13, 2019 at 04:30:24PM -0500, Leo Famulari wrote:
> Since a new librsync user, burp, has been added to Guix, I've submitted
> an updated revision of this patch.
Pushed as 584dbd8568cca381682fb682b7daf7aa37bc7df8
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 26 Mar 2019 11:24:07 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 25 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.