Bug#914009: libgcrypt20: not tight enough shlibs file

Andreas Metzler ametzler at bebt.de
Sun Nov 18 14:04:12 GMT 2018

On 2018-11-18 Andreas Metzler <ametzler at bebt.de> wrote:
> On 2018-11-18 Samuel Thibault <sthibault at debian.org> wrote:
> > Source: libgcrypt20
> > Version: 1.8.4-3
> > Severity: important

>> debian/rules uses:

>>   dh_makeshlibs -V 'libgcrypt20 (>=1.8.0-0)'

>> But that is not tight enough. Applications would typically call

>>   gcry_check_version (GCRYPT_VERSION)

>> which will check the version which was used at the compilation time of
>> the application, thus requiring whatever version of libgcrypt was
>> installed at the time. The shlibs mentioned above allows to install an
>> earlier version of the package, but then the application crashes with

>>   libgcrypt version mismatch

>> so the dependency is not tight enough, debian/rules should be using the
>> upstream version instead of hardcoding 1.8.0-0

> Hello,

> no, applications should specify the version of gcrypt they require to
> compile succcessfully as argument to gcry_check_version instead of the
> version they are building against.

Hmm. Looking at codesearch.d.o and (with my angry eyes ;-) on gcrypt
documentation it might make sense to still change the dependency.

At least gpg gets it right.

cu Andreas
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-gnutls-maint mailing list