Bug#760735: libgnutls26: [dummy bug] Must not be shipped in jessie

Sat Oct 4 11:02:50 UTC 2014

On 04/10/14 08:23, Andreas Metzler wrote:
> On 2014-10-03 Kurt Roeckx <kurt at roeckx.be> wrote:
>> On Sun, Sep 07, 2014 at 02:16:03PM +0200, Andreas Metzler wrote:
>>> Package: libgnutls26
>>> Version: 2.12.23-17
>
>>> GnuTLS 2.12 should not be shipped in jessie, let's make sure it does
>>> not accidentally re-enter testing after its removal (which is not yet
>>> scheduled).
>
>> Can you clarify which version(s) you think should ship with
>> jessie?  I'm guessing you want to go with the 3.2 upstream version
>> so the gnutls28 source package?
>
> Hello,
> we will ship gnutls28 (3.3.x).
>
>> libgnutls-dev is currently a binary package from libgnutls26
>> and libgnutls28-dev Provides gnutls-dev (not libgnutls-dev).
>> There are packages that Build-Depend on libgnutls-dev.
>
>> Could you please clarify what should happen?
>
> The packages that work with _and_ actually *require* GnuTLS should
> build-depend on libgnutls28-dev. Stuff that requires the old library
> version will have to go.
>
> Thank you for pointing this out to me, I have been handholding the
> transition for a couple of months and thought it was almost done.
>
> Looking at the current status we find these packages build-depending
> on libgnutls-dev:
>
> centerim (only in sid)
> cluster-glue 1.0.12~rc1+hg2777-1
> gst-plugins-bad0.10 (0.10.23-7.3)
> gst-plugins-bad1.0 (1.4.3-1)
> kopete (4:4.14.1-1)
> libvmime (only in sid)
> mandos (1.6.8-1)
> mod-gnutls (sid is fixed and broken, testing is horribly outdated)
> ntopng (1.2.1+dfsg1-1)
> openldap (2.4.39-1.1)
> openvas* (only in sid)
> pacemaker* (only in sid)
> pokerth (1.1.1-2.1)
> python-gnutls (1.2.5-1)
> qutecom (2.2.1+dfsg1-5.1)
> snort (2.9.5.3-3)
> sogo (only in sid)
> vdr-plugin-fritzbox (1.5.2-5)
> wine (1.6.2-8)
> wine-development (1.7.27-1)
> xchat-gnome (1:0.30.0~git20131003.d20b8d-2.1)
> xen (4.4.1-2)
>
> OTOH looking at the binary dependencies in sid (and ignoring packages
> only in sid https://release.debian.org/transitions/html/gnutls28.html
> the transition is basically done (there are some false positives due
> to libgnutls28-dev|libgnutls-dev dependencies), only these packages
> remain:
> openldap: Fixed for months in GIT, waiting for internal review.
> python-gnutls: Patches available for ages, nobody cares.
> mandos: Only reverse dependency of python-gnutls.
>
> Therefore on the binary side the transition can be finished after an
> openldap upload by removing python-gnutls/mandos/mod-gnutls from
> testing.

You say there are patches for python-gnutls, maybe that can be binNMU'ed?

> I will submit the missing Build-Depends related bug report in due
> course (not today). I suspect that in almost all of the cases the
> correct fix will be to simply drop the build-dependency.
>
> (As a fallback plan, if we cannot get these 12 source packages fixed
> in time for jessie gnutls28 could obviously take over the
> libgnutls-dev package.)

If it's just 12, I think it'd be possible to file bugs and NMU those that aren't 
fixed in a few days.

Emilio