Control: tags -1 + patch The cryptography that is broken in this package is comically old and broken: single-DES, broken in every case in 2012 for ~$200 / 26 hours.
Upstream is dead, and a fork is maintained in the src:barnowl project. The fork contains fixed code, both for the comically awful legacy crypto, and for the modern protocol that it appears people actually use in the real world: https://sources.debian.net/src/barnowl/1.9-4/zcrypt.c/#L24 I would love to see this package RM'd, but if not, then turning off the uselessly broken crypto might be a good solution: diff --git a/owl-2.2.2/owl.h b/owl-2.2.2/owl.h index a306373..aa4bbcf 100644 --- a/owl-2.2.2/owl.h +++ b/owl-2.2.2/owl.h @@ -180,10 +180,6 @@ static const char owl_h_fileIdent[] = "$Id: owl.h,v 1.128 2009/04/07 05:00:29 kr #define OWL_REGEX_QUOTECHARS "+*.?[]^\\${}()" #define OWL_REGEX_QUOTEWITH "\\" -#if defined(HAVE_DES_STRING_TO_KEY) && defined(HAVE_DES_KEY_SCHED) && defined(HAVE_DES_ECB_ENCRYPT) -#define OWL_ENABLE_ZCRYPT 1 -#endif - #define OWL_META(key) ((key)|0200) /* OWL_CTRL is definied in kepress.c */ This removes the dependencies on libssl-dev entirely, fixing the whole problem. The package builds fine with the useless dependency, but dh_shlibs gets mangry. Chris.
