[Bug 1868609] Re: FFe: update to 0.6.0 (MIR requirement)

Launchpad Bug Tracker 1868609 at bugs.launchpad.net
Fri Mar 27 15:46:00 UTC 2020 

This bug was fixed in the package libcbor - 0.6.0-0ubuntu1

---------------
libcbor (0.6.0-0ubuntu1) focal; urgency=medium

  * New upstream version 0.6.0 (LP: #1868609):
    - no need for dfsg since docs/doxygen is no longer shipped
  * d/rules: override auto_configure to enable tests and set the build
    type to "Release" as shown in the upstream build instructions.
  * d/p/skip-custom-allocator-test.patch: skip custom allocator test if
    CBOR_CUSTOM_ALLOC is undefined
  * d/rules: add hardening=+all
  * Fix soname versioning:
    - d/p/clarify-soname-versioning.patch: adjust soname versioning to
      match expectations $MAJOR.$MINOR.$PATCH
    - d/control: rename binary package to match soname 0.6
    - d/control: fix -dev dependency towards its binary lib
    - d/libcbor0.6.install, d/libcbor0.6.symbols: rename to match new soname
    - d/libcbor0.6.symbols: symbols update, add B-D-P field
  * d/libcbor-doc.examples: rename so examples are installed
  * d/control: bump debhelper to 12
  * d/copyright lintian fixes:
    - d/copyright: change url to https
    - d/copyright: remove Files-Excluded since that directory is not
      shipped in the 0.6.0 upstream tarball.
    - d/copyright: removed entry about docs/stylesheets/github-light.css
      as this isn't shipped anymore in the upstream tarball.
  * d/control: set R3 to no
  * d/copyright: add new paragraph for new files in 0.6.0
  * d/control: bump standards-version to 4.5.0 (no changes required)
  * d/watch: remove dfsg mangling

 -- Andreas Hasenack <andreas at canonical.com>  Wed, 25 Mar 2020 19:22:25
+0000

** Changed in: libcbor (Ubuntu)
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libcbor in Ubuntu.
https://bugs.launchpad.net/bugs/1868609

Title:
  FFe: update to 0.6.0 (MIR requirement)

Status in libcbor package in Ubuntu:
  Fix Released

Bug description:
  libcbor is a dependency of libfido2, which is being MIRed in bug
  #1864439. As such, libcbor was added to the same MIR.

  The libcbor MIR was accepted on two conditions:
  a) it's updated to 0.6.0[1]
  b) its test suite is run at build time[2]

  Both of these conditions are met in my linked MP[3]. The most important packaging changes are:
  - test suite is run at package build time
  - upstream changed the soname in 0.6.0 (ok so far), but in an overzelous way (it made the full 0.6.0 version part of the soname). I talked with upstream and they suggested a patch to make 0.6 part of the soname only. That patch I applied in our package, and had to rename the binary library package to libcbor0.6 (from libcbor0). See the MP[3] for details and links to the conversation with upstream;
  - I fixed a ton of lintian issues. Current lintian -I --pedantic output is just:
  I: libcbor source: testsuite-autopkgtest-missing
  P: libcbor source: file-contains-trailing-whitespace debian/changelog (line 44)

  The upstream release notes for each version are at [4]. Our update is
  from 0.5.0 in focal to 0.6.0 with the above changes. The security team
  was interested in all the fixes announced in 0.6.0.

  One potential issue here is that ubuntu will be shipping a 0.6.0
  package which produces a 0.6 version in the soname, whereas the exact
  same upstream versions uses 0.6.0 in the soname. I asked upstream if
  they preferred to make a new release. On one hand, upstream agreed[5],
  but at the same time didn't seem too worried[6]. You, dear release
  team member reviewer, are welcomed to chime in with what you think
  should be done :)

  PPA with builds: https://launchpad.net/~ahasenack/+archive/ubuntu
  /openssh-fido/

  The only reverse dependency of libcbor is libfido2-1 and libcbor
  itself in the form of the -dev package.

  1. https://bugs.launchpad.net/ubuntu/+source/libfido2/+bug/1864439/comments/7
  2. https://bugs.launchpad.net/ubuntu/+source/libfido2/+bug/1864439/comments/9
  3. https://code.launchpad.net/~ahasenack/ubuntu/+source/libcbor/+git/libcbor/+merge/381060
  4. https://github.com/PJK/libcbor/releases
  5. https://github.com/PJK/libcbor/pull/131#issuecomment-602855102
  6. https://github.com/PJK/libcbor/issues/52#issuecomment-602864168

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcbor/+bug/1868609/+subscriptions

More information about the foundations-bugs mailing list