[Bug 2036724] Re: [FFe] sync libgcrypt20 1.10.2-3 from Debian to mantic

Steve Langasek 2036724 at bugs.launchpad.net
Mon Sep 25 18:46:58 UTC 2023 

> Yes. This wasn't the case when the patch was added, so back then
> it helped make the archive version usable with a FIPS kernel.
> Nowadays we ship our own libgcrypt20 so it doesn't make a difference.

The original reason for this patch being added was LP: #1748310.  Do we
really want to risk reintroducing such a bug?  A FIPS customer who has
the FIPS archive enabled SHOULD be using the libgcrypt20 from the FIPS
archive; but if they make a mistake and have the libgcrypt20 from the
main Ubuntu archive installed, with this patch reverted, will this
misbehave on boot?

FIPS is not supported on non-LTS releases so I don't actually care about
this from a feature freeze POV, consider the exception granted.  But we
still need to be sure that dropping this change is the correct thing to
do from the perspective of 24.04 LTS.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libgcrypt20 in Ubuntu.
https://bugs.launchpad.net/bugs/2036724

Title:
  [FFe] sync libgcrypt20 1.10.2-3 from Debian to mantic

Status in libgcrypt20 package in Ubuntu:
  New

Bug description:
  To sync libgcrypt20 1.10.2-3 instead of merging, it will drop 2
  remaining changes:

  1. d/p/12_lessdeps_libgcrypt-config.diff: refresh patch offsets

     It's same as the debian package, and it can be applied successfully without
     this delta.

  2. d/p/disable_fips_enabled_read.patch
     Disable the library reading /proc/sys/crypto/fips_enabled file
     and going into FIPS mode.
     libgcrypt is not a FIPS certified library.

     I want to request FFe for this one. libgcrypt is FIPS certified library
     nowadays. So this patch is obsoleted.

  Changelog entries since current mantic version 1.10.2-2ubuntu1:

  libgcrypt20 (1.10.2-3) unstable; urgency=medium

   [ Simon Josefsson ]
   * Update Homepage: URL.

   [ Andreas Metzler ]
   * Drop --insert-timestamp linker option on mingw*, binutils 2.41 should use
     SOURCE_DATE_EPOCH automatically and the Debian package has dropped the
     patch to add the --insert-timestamp option. Closes: #1052219

   -- Andreas Metzler <ametzler at debian.org>  Tue, 19 Sep 2023 13:48:32
  +0200¬

  This new version fixes libgcrypt20 FTBFS.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgcrypt20/+bug/2036724/+subscriptions

More information about the foundations-bugs mailing list