pkg-perl-maintainers team mailing list archive
-
pkg-perl-maintainers team
-
Mailing list archive
-
Message #04786
[Bug 2046154] Re: [MIR] libcryptx-perl (libmail-dkim-perl dependency)
** Description changed:
[MIR] libcryptx-perl (libmail-dkim-perl dependency)
Package: libcryptx-perl
[Availability]
The package libcryptx-perl is already in Ubuntu universe.
The package libcryptx-perl build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x (any)
Link to package https://launchpad.net/ubuntu/+source/libcryptx-perl
[Rationale]
The package libcryptx-perl is required in Ubuntu main for libmail-dkim-perl .
The package libcryptx-perl will not generally be useful for a large part of
our user base, but is important/helpful still because is required as runtime dependency by libmail-dkim-perl that is already in main.
libmail-dkim-perl it's a perl module to cryptographically identify the
sender of email (implementing the new Domain Keys Identified Mail
(DKIM)), used by spamassassin and amavisd-new. The following changes
have been added to libmail-dkim-perl since the version we have released
in noble:
1.20230911 2023-09-11 UTC
* Option to add custom tags to generated ARC signatures and seals
1.20230630 2023-06-30 UTC
* Add support for Ed25519 signature types
Thanks to Matthäus Wander @mwander
* Option to add custom tags to generated signatures
the 'Add support for Ed25519' is the one that requires the use of
Crypt::PK::Ed25519, provided by the libcryptx-perl package.
Apparently, no other packages provide similar functionality:
root@Nlib-dkim-perl:~# apt-file search Ed25519 | grep perl
libcryptx-perl: /usr/lib/x86_64-linux-gnu/perl5/5.36/Crypt/PK/Ed25519.pm
libcryptx-perl: /usr/share/man/man3/Crypt::PK::Ed25519.3pm.gz
The package libcryptx-perl is required in Ubuntu main as soon as
possible, since libmail-dkim-perl depends on it and libmail-dkim-perl is
already in main.
[Security]
No CVEs/security issues in this software in the past:
- (0) https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libcryptx-perl
- (0) https://ubuntu.com/security/cves?q=&package=libcryptx-perl
- (0) https://security-tracker.debian.org/tracker/source-package/libcryptx-perl
No `suid` or `sgid` binaries.
No executables in `/sbin` and `/usr/sbin`.
Package does not install services, timers or recurring jobs.
Package does not open privileged ports (ports < 1024).
Package does not expose any external endpoints.
Package contains extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...);
It's a Perl module that provides a self-contained cryptographic toolkit :
CryptX is a self-contained cryptgraphico toolkit based on https://github.com/libtom/libtomcrypt.
It provides cyphers, block cipher modes, authenticated encryption modes, hash functions, message authentication
codes, public key cryptography, cryptographically secure random number generators, key derivation functions.
The package provides a shared library for this too.
[Quality assurance - function/usage]
The package works well right after the install.
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and does
not have too many, long-term & critical, open bugs:
- Ubuntu (1) https://bugs.launchpad.net/ubuntu/+source/libcryptx-perl/+bug
- Debian (0) https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libcryptx-perl
- Upstream's bug tracker (4) https://github.com/DCIT/perl-CryptX/issues
+ Upstream's repo last activity: https://github.com/DCIT/perl-CryptX
- last commit: in master, Oct 17, 2023
- Issues without answer: 3
- Updated issue/PR: Oct 30, 2023
- last fixed/closed/merged issue: Oct 9, 2023
- last merged PR: Oct 9, 2023
The package has an important/old open bug on upstream, affecting FreeBSD initially:
- SIGILL when calling verify_message (https://github.com/DCIT/perl-CryptX/issues/98)
The package does not deal with exotic hardware we cannot support.
[Quality assurance - testing]
The package runs a test suite on build time, if it fails
it makes the build fail: https://launchpad.net/ubuntu/+source/libcryptx-perl/0.080-2/+build/27021219/+files/buildlog_ubuntu-noble-amd64.libcryptx-perl_0.080-2_BUILDING.txt.gz :
dh_auto_test
make -j4 test TEST_VERBOSE=1
make[1]: Entering directory '/<<PKGBUILDDIR>>'
"/usr/bin/perl" -MExtUtils::Command::MM -e 'cp_nonempty' -- CryptX.bs blib/arch/auto/CryptX/CryptX.bs 644
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(1, 'blib/lib', 'blib/arch')" t/*.t
The package runs an autopkgtest (via autodep8 using 'Testsuite: autopkgtest-pkg-perl' in d/control file - https://git.launchpad.net/ubuntu/+source/libcryptx-perl/tree/debian/control#n5 -),
that runs essentialy the above build-time test suite. It is currently passing on
this list of architectures (amd64, arm64, armhf, i386, ppc64el, s390x): https://autopkgtest.ubuntu.com/packages/l/libcryptx-perl
[Quality assurance - packaging]
debian/watch is present and works.
debian/control defines a correct Maintainer field : Debian Perl Group
<pkg-perl-maintainers@xxxxxxxxxxxxxxxxxxxxxxx> (
https://git.launchpad.net/ubuntu/+source/libcryptx-
perl/tree/debian/control#n2)
This package does not yield massive lintian Warnings, Errors
- recent build log of the package https://launchpad.net/ubuntu/+source/libcryptx-perl/0.080-2/+build/27021219/+files/buildlog_ubuntu-noble-amd64.libcryptx-perl_0.080-2_BUILDING.txt.gz
- full output from `lintian --pedantic` :
#source
❯ lintian -EvIL +pedantic --show-overrides
W: libcryptx-perl: changelog-distribution-does-not-match-changes-file unstable != noble [usr/share/doc/libcryptx-perl/changelog.Debian.gz:1]
W: libcryptx-perl changes: distribution-and-changes-mismatch noble unstable
I: libcryptx-perl: typo-in-manual-page octects octets [usr/share/man/man3/Crypt::Checksum::Adler32.3pm.gz:136]
I: libcryptx-perl: typo-in-manual-page octects octets [usr/share/man/man3/Crypt::Checksum::Adler32.3pm.gz:163]
I: libcryptx-perl: typo-in-manual-page octects octets [usr/share/man/man3/Crypt::Checksum::CRC32.3pm.gz:136]
I: libcryptx-perl: typo-in-manual-page octects octets [usr/share/man/man3/Crypt::Checksum::CRC32.3pm.gz:163]
I: libcryptx-perl: typo-in-manual-page octects octets [usr/share/man/man3/Crypt::PRNG.3pm.gz:128]
I: libcryptx-perl: typo-in-manual-page octects octets [usr/share/man/man3/Crypt::PRNG.3pm.gz:135]
I: libcryptx-perl: typo-in-manual-page octects octets [usr/share/man/man3/Crypt::PRNG.3pm.gz:142]
I: libcryptx-perl: typo-in-manual-page octects octets [usr/share/man/man3/Crypt::PRNG.3pm.gz:149]
#binary
❯ lintian -EvIL +pedantic --show-overrides ../libcryptx-perl_0.080-2.dsc
X: libcryptx-perl source: debian-watch-does-not-check-openpgp-signature [debian/watch]
X: libcryptx-perl source: update-debian-copyright 2017 vs 2023 [debian/copyright:88]
X: libcryptx-perl source: very-long-line-length-in-source-file 1103 > 512 [t/data/binary-test.file:16]
X: libcryptx-perl source: very-long-line-length-in-source-file 1124 > 512 [t/mbi_ltm/bigfltpm.inc:913]
X: libcryptx-perl source: very-long-line-length-in-source-file 1239 > 512 [t/pk_ecc_test_vectors_openssl.t:20]
X: libcryptx-perl source: very-long-line-length-in-source-file 1430 > 512 [t/data/ssh/ssh_rsa_8192.pub:1]
X: libcryptx-perl source: very-long-line-length-in-source-file 1655 > 512 [t/jwk.t:21]
X: libcryptx-perl source: very-long-line-length-in-source-file 2071 > 512 [t/sshkey.t:73]
X: libcryptx-perl source: very-long-line-length-in-source-file 571 > 512 [t/pk_dh.t:98]
X: libcryptx-perl source: very-long-line-length-in-source-file 614 > 512 [t/data/ssh/ssh_dsa_1024.pub:1]
X: libcryptx-perl source: very-long-line-length-in-source-file 699 > 512 [t/mode_ecb.t:28]
X: libcryptx-perl source: very-long-line-length-in-source-file 745 > 512 [t/mode_cbc.t:40]
X: libcryptx-perl source: very-long-line-length-in-source-file 750 > 512 [t/data/ssh/ssh_rsa_4096.pub:1]
X: libcryptx-perl source: very-long-line-length-in-source-file 7992 > 512 [t/pk_dsa_test_vectors_openssl.t:13]
X: libcryptx-perl source: very-long-line-length-in-source-file 8771 > 512 [t/pk_rsa_test_vectors_openssl.t:38]
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.
The package will not be installed by default.
Packaging and build is easy, link to debian/rules:
https://git.launchpad.net/ubuntu/+source/libcryptx-
perl/tree/debian/rules
[UI standards]
Application is not end-user facing (does not need translation).
[Dependencies]
There are further dependencies not yet in main. Listing then:
- libmath-bigint-perl
+ libscalar-list-utils-perl
but the modules provided by libmath-bigint-perl are provided also by
perl-modules-5.36 (i.e. , /usr/share/perl/5.36.0/Math/Big{Float,Int}.pm
). To double confirm that processing these dependencies to a MIR is not
needed by now, in the control file of the perl package we found a Break
for libmath-bigint-perl since version 1.999830:
https://git.launchpad.net/ubuntu/+source/perl/tree/debian/control#n196
and Replaces:
https://git.launchpad.net/ubuntu/+source/perl/tree/debian/control#n243
alongside the Provides for that version:
https://git.launchpad.net/ubuntu/+source/perl/tree/debian/control#n330.
However, new version for libmath-bigint-perl in noble-proposed is
2.002000-1, above the one provided by the incoming perl transition 5.38:
https://tracker.debian.org/media/packages/p/perl/control-5.38.2-1
Maybe version 2.002000-1 will be included in perl 5.40 (scheduled in May 2024,
https://groups.google.com/g/linux.debian.bugs.dist/c/J5E_eGT8fC8 ), but nothing for sure yet, as also no notice of that inclusion can be read at https://tracker.debian.org/pkg/libmath-bigint-perl ( Could be libmath-bigint-gmp-perl https://tracker.debian.org/pkg/libmath-bigint-gmp-perl choosen instead? ).
[Standards compliance]
This package correctly follows FHS and Debian Policy (4.6.2)
[Maintenance/Owner]
Owning Team will be Ubuntu Server Team.
Team is not yet, but will subscribe to the package before promotion.
This does not use static builds.
- This does not use vendored code.
+ This uses vendored code:
+ - src/ltc : LibTomCrypt: https://github.com/libtom/libtomcrypt
+ - src/ltm: LibTomMath: https://github.com/libtom/libtommath
+ Both are packaged in Ubuntu: libtomcrypt-dev and libtommath-dev .
+
This package is not rust based.
A previous version of the package was successfully built during the most
recent test rebuild : https://launchpad.net/ubuntu/+archive/test-
rebuild-20230830-mantic/+build/26595349/+files/buildlog_ubuntu-mantic-
amd64.libcryptx-perl_0.078-1_BUILDING.txt.gz
[Background information]
The Package description explains the package well.
Upstream Name is CryptX .
Link to upstream project https://metacpan.org/dist/CryptX
This has been in the archive since at least 2017 (Bionic, 0.054-1).
It had a bug filed against it in Launchpad, for upgrading Bionic's version: https://bugs.launchpad.net/ubuntu/+source/libcryptx-perl/+bug/1840382.
--
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libcryptx-perl in Ubuntu.
https://bugs.launchpad.net/bugs/2046154
Title:
[MIR] libcryptx-perl (libmail-dkim-perl dependency)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcryptx-perl/+bug/2046154/+subscriptions
References
