** Description changed: libcbor is a dependency of libfido2, which is being MIRed in bug #1864439. As such, libcbor was added to the same MIR. The libcbor MIR was accepted on two conditions: a) it's updated to 0.6.0[1] b) its test suite is run at build time[2] Both of these conditions are met in my linked MP[3]. The most important packaging changes are: - test suite is run at package build time - upstream changed the soname in 0.6.0 (ok so far), but in an overzelous way (it made the full 0.6.0 version part of the soname). I talked with upstream and they suggested a patch to make 0.6 part of the soname only. That patch I applied in our package, and had to rename the binary library package to libcbor0.6 (from libcbor0). See the MP[3] for details and links to the conversation with upstream; - I fixed a ton of lintian issues. Current lintian -I --pedantic output is just: I: libcbor source: testsuite-autopkgtest-missing P: libcbor source: file-contains-trailing-whitespace debian/changelog (line 44) The upstream release notes for each version are at [4]. Our update is from 0.5.0 in focal to 0.6.0 with the above changes. The security team was interested in all the fixes announced in 0.6.0. + One potential issue here is that ubuntu will be shipping a 0.6.0 package + which produces a 0.6 version in the soname, whereas the exact same + upstream versions uses 0.6.0 in the soname. I asked upstream if they + preferred to make a new release. On one hand, upstream agreed[5], but at + the same time didn't seem too worried[6]. You, dear release team member + reviewer, are welcomed to chime in with what you think should be done :) + PPA with builds: https://launchpad.net/~ahasenack/+archive/ubuntu /openssh-fido/ The only reverse dependency of libcbor is libfido2-1 and libcbor itself in the form of the -dev package. 1. https://bugs.launchpad.net/ubuntu/+source/libfido2/+bug/1864439/comments/7 2. https://bugs.launchpad.net/ubuntu/+source/libfido2/+bug/1864439/comments/9 3. https://code.launchpad.net/~ahasenack/ubuntu/+source/libcbor/+git/libcbor/+merge/381060 4. https://github.com/PJK/libcbor/releases + 5. https://github.com/PJK/libcbor/pull/131#issuecomment-602855102 + 6. https://github.com/PJK/libcbor/issues/52#issuecomment-602864168
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868609 Title: FFe: update to 0.6.0 (MIR requirement) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcbor/+bug/1868609/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
