From ueno at gnu.org Tue Nov 5 05:41:05 2024 From: ueno at gnu.org (Daiki Ueno) Date: Tue, 05 Nov 2024 13:41:05 +0900 Subject: [gnutls-help] gnutls 3.8.8 Message-ID: <87o72ujnry.fsf-ueno@gnu.org> Hello, We have just released gnutls-3.8.8. This is a bug fix and enhancement release on the 3.8.x branch. We would like to thank everyone who contributed in this release: Alan Coopersmith, Alexander Sosedkin, Andreas Metzler, Brad Smith, Daiki Ueno, David Meliksetyan, Ekaterina Zilotina, Jeff Mattson, Sahil Siddiq, and Zoltan Fridrich. The detailed list of changes follows: * Version 3.8.8 (released 2024-11-05) ** libgnutls: Experimental support for X25519MLKEM768 and SecP256r1MLKEM768 key exchange in TLS 1.3 The support for post-quantum key exchanges has been extended to cover the final standard of ML-KEM, following draft-kwiatkowski-tls-ecdhe-mlkem. The minimum supported version of liboqs is bumped to 0.11.0. ** libgnutls: All records included in an OCSP response are now checked in TLS Previously, when multiple records are provided in a single OCSP response, only the first record was considered; now all those records are examined until the server certificate matches. ** libgnutls: Handling of malformed compress_certificate extension is now more standard compliant The server behavior of receiving a malformed compress_certificate extension now more strictly follows RFC 8879; return illegal_parameter alert instead of bad_certificate, as well as overlong extension data is properly rejected. ** build: More flexible library linking options for compression libraries, TPM, and liboqs support The configure options, --with-zstd, --with-brotli, --with-zlib, --with-tpm2, and --with-liboqs now take 4 states: yes/link/dlopen/no, to specify how the libraries are linked or loaded. ** API and ABI modifications: No changes since last version. Getting the Software ================ GnuTLS may be downloaded directly from https://www.gnupg.org/ftp/gcrypt/ A list of GnuTLS mirrors can be found at http://www.gnutls.org/download.html Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.8.tar.xz Here are OpenPGP detached signatures signed using key: 5D46CB0F763405A7053556F47A75A648B3F9220C https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.8.tar.xz.sig Note that it has been signed with my openpgp key: pub rsa4096 2009-07-23 [SC] [expires: 2026-06-29] 462225C3B46F34879FC8496CD605848ED7E69871 uid [ultimate] Daiki Ueno uid [ultimate] Daiki Ueno sub rsa4096 2010-02-04 [E] Regards, -- Daiki Ueno -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 832 bytes Desc: not available URL: From lists at schamschula.com Wed Nov 6 12:34:45 2024 From: lists at schamschula.com (Marius Schamschula) Date: Wed, 6 Nov 2024 05:34:45 -0600 Subject: [gnutls-help] error: initializer element is not a compile-time constant Message-ID: <74F694DE-2138-41DF-96BE-AD04A2396029@schamschula.com> While updating gnutls(-devel) to 3.8.8 most of the MacPorts build bots have errored out with the following error: libtool: compile: /usr/bin/clang -DHAVE_CONFIG_H -I. -I../.. -I./../../gl -I./../../gl -I./../includes -I./../includes -I./../../gl -I./.. -I/opt/local/include -isysroot/Library/Developer/CommandLineTools/SDKs/MacOSX14.sdk -Wtype-limits -Wall -Wbad-function-cast -Wdate-time -Wdisabled-optimization -Wdouble-promotion -Wextra -Winit-self -Winvalid-pch -Wmissing-declarations -Wmissing-include-dirs -Wmissing-prototypes -Wnested-externs -Wnull-dereference -Wold-style-definition -Wpacked -Wpointer-arith -Wshadow -Wstrict-prototypes -Wuninitialized -Wunknown-pragmas -Wvariadic-macros -Wwrite-strings -Wformat=2 -Wno-missing-field-initializers -Wno-unused-parameter -fdiagnostics-show-option -fno-builtin-strcmp -I/opt/local/include/p11-kit-1 -pipe -Os -isysroot/Library/Developer/CommandLineTools/SDKs/MacOSX14.sdk -arch arm64 -c groups.c -fno-common -DPIC -o .libs/groups.o groups.c:93:2: error: initializer element is not a compile-time constant group_x25519, ^~~~~~~~~~~~ 1 error generated. Marius -- Marius Schamschula -------------- next part -------------- An HTML attachment was scrubbed... URL: From ametzler at bebt.de Mon Nov 11 06:55:55 2024 From: ametzler at bebt.de (Andreas Metzler) Date: Mon, 11 Nov 2024 06:55:55 +0100 Subject: [gnutls-help] guile-gnutls orphaned? Message-ID: Hello, is guile-gnutls still alive/supported? I am mainly asking because of . cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From simon at josefsson.org Mon Nov 11 08:19:40 2024 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 11 Nov 2024 08:19:40 +0100 Subject: [gnutls-help] guile-gnutls orphaned? In-Reply-To: (Andreas Metzler's message of "Mon, 11 Nov 2024 06:55:55 +0100") References: Message-ID: <87a5e6b5kj.fsf@kaka.sjd.se> Andreas Metzler writes: > Hello, > > is guile-gnutls still alive/supported? I am mainly asking because of > . I'm happy to make releases, but I mostly rely on people creating merge requests that pass the pipeline (which seems to be in a poor state) for making changes, although my time for this project is a bit stachastic. I've pushed this particular fix now, thank you! Would a new release help? /Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 255 bytes Desc: not available URL: From ametzler at bebt.de Mon Nov 11 12:01:48 2024 From: ametzler at bebt.de (Andreas Metzler) Date: Mon, 11 Nov 2024 12:01:48 +0100 Subject: [gnutls-help] guile-gnutls orphaned? In-Reply-To: <87a5e6b5kj.fsf@kaka.sjd.se> References: <87a5e6b5kj.fsf@kaka.sjd.se> Message-ID: On 2024-11-11 Simon Josefsson wrote: > Andreas Metzler writes: >> is guile-gnutls still alive/supported? I am mainly asking because of >> . > I'm happy to make releases, but I mostly rely on people creating merge > requests that pass the pipeline (which seems to be in a poor state) for > making changes, although my time for this project is a bit stachastic. > I've pushed this particular fix now, thank you! Would a new release > help? Hello Simon, thank you, yes I would appreciate a release. The original question is less about releases than whether the project is alive. I care about that because I would rather not ship (especially security-sensitive) software without upstream support in a Debian stable release. I do hope my original mail did not sound like a rebuke - It was intended as a honest question, I am on a fact-finding mission. TIA, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From simon at josefsson.org Mon Nov 11 19:08:11 2024 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 11 Nov 2024 19:08:11 +0100 Subject: [gnutls-help] guile-gnutls-4.0.1 released [stable] Message-ID: <8734jxbq44.fsf@kaka.sjd.se> This is to announce guile-gnutls-4.0.1, a stable release. Guile-GnuTLS provides Guile bindings for the GnuTLS library. There have been 26 commits by 4 people in the 63 weeks since 4.0.0. See the NEWS below for a brief summary. Thanks to everyone who has contributed! The following people contributed changes to this release: Artyom V. Poptsov (1) Natanael Copa (1) Simon Josefsson (15) Vivien Kraus (9) Happy Hacking, Simon ================================================================== Here is the guile-gnutls home page: https://gitlab.com/gnutls/guile The release is available here: https://gitlab.com/gnutls/guile/-/releases/v4.0.1 For a summary of changes and contributors, see: https://gitlab.com/gnutls/guile/-/commits/v4.0.1?ref_type=tags or run this command from a git-cloned guile-gnutls directory: git shortlog v4.0.0..v4.0.1 The guile-gnutls git tag v4.0.1 corresponds to this SHA1 git commit: 551da18d89dc0f027b0b0ab12d784f439a74d688. Here are the compressed sources and a GPG detached signature: https://ftpmirror.gnu.org/guile-gnutls/guile-gnutls-4.0.1.tar.gz https://ftpmirror.gnu.org/guile-gnutls/guile-gnutls-4.0.1.tar.gz.sig Use a mirror for higher download bandwidth: https://www.gnu.org/order/ftp.html Here are the SHA1 and SHA256 checksums: 7493fa5cad8e2ba61296aea8b65ed2d989136e08 guile-gnutls-4.0.1.tar.gz AfC6O+qDe7RNyxs//M48Lr6IaZ0KO92sHYeeR1qXh+Q= guile-gnutls-4.0.1.tar.gz Verify the base64 SHA256 checksum with cksum -a sha256 --check from coreutils-9.2 or OpenBSD's cksum since 2007. Use a .sig file to verify that the corresponding file (without the .sig suffix) is intact. First, be sure to download both the .sig file and the corresponding tarball. Then, run a command like this: gpg --verify guile-gnutls-4.0.1.tar.gz.sig The signature should match the fingerprint of the following key: pub ed25519 2019-03-20 [SC] B1D2 BD13 75BE CB78 4CF4 F8C4 D73C F638 C53C 06BE uid Simon Josefsson If that command fails because you don't have the required public key, or that public key has expired, try the following commands to retrieve or refresh it, and then rerun the 'gpg --verify' command. gpg --locate-external-key simon at josefsson.org gpg --recv-keys 51722B08FE4745A2 wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=guile-gnutls&download=1' | gpg --import - As a last resort to find the key, you can try the official GNU keyring: wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg gpg --keyring gnu-keyring.gpg --verify guile-gnutls-4.0.1.tar.gz.sig This release was bootstrapped with the following tools: Autoconf 2.71 Automake 1.16.5 Makeinfo 6.8 Libtoolize 2.4.6 NEWS * Noteworthy changes in release 4.0.1 (2024-11-11) [stable] ** Fix GnuTLS 3.8.4+ compilation due to new RSA-OAEP support. ** Bind hex-encode and hex-decode ** Harmonize license templates mainly to avoid obsolete FSF postal address. ** Improve anonymous authentication guile example. ** Update gnulib files. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 255 bytes Desc: not available URL: From simon at josefsson.org Mon Nov 11 19:27:44 2024 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 11 Nov 2024 19:27:44 +0100 Subject: [gnutls-help] guile-gnutls orphaned? In-Reply-To: (Andreas Metzler's message of "Mon, 11 Nov 2024 12:01:48 +0100") References: <87a5e6b5kj.fsf@kaka.sjd.se> Message-ID: <87wmh9aan3.fsf@kaka.sjd.se> Andreas Metzler writes: > On 2024-11-11 Simon Josefsson wrote: >> Andreas Metzler writes: > >>> is guile-gnutls still alive/supported? I am mainly asking because of >>> . > >> I'm happy to make releases, but I mostly rely on people creating merge >> requests that pass the pipeline (which seems to be in a poor state) for >> making changes, although my time for this project is a bit stachastic. >> I've pushed this particular fix now, thank you! Would a new release >> help? > > Hello Simon, > > thank you, yes I would appreciate a release. I have released 4.0.1 now. > The original question is less about releases than whether the project is > alive. I care about that because I would rather not ship (especially > security-sensitive) software without upstream support in a Debian stable > release. > > I do hope my original mail did not sound like a rebuke - It was intended as > a honest question, I am on a fact-finding mission. The project is supported, and I believe (Ludovic/Vivien can correct me) that guile-gnutls is an important component in the Guix bootstrap. So I think there are more people caring about guile-gnutls than some other projects. Guix still uses GnuTLS 3.8.3 (plus patches) which is why Guix didn't notice the build problem with 3.8.4+. We could add a Debian:testing GitLab pipeline job to notice problems with the recent GnuTLS release, if that would help? Maybe that would have cought this problem earlier. Of course, I'm not saying the project couldn't use more help from volunteers. I'll be happy to rotate the release duty too. Vivien or Ludovic, do you have cycles for this? I followed README-release, manually added the GitLab release through the web interface, and customized the announcement e-mail and sent it off. On the other hand, we just made a release so I'm not sure if there is anything more to be done at this point. I have a recipe to get a reproducible source tarball in other projects (compare libntlm and oath-toolkit), so making that happen together with publishing a minimal git-archive tarball would be a nice near-term improvement though. /Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 255 bytes Desc: not available URL: From ametzler at bebt.de Tue Nov 12 13:51:14 2024 From: ametzler at bebt.de (Andreas Metzler) Date: Tue, 12 Nov 2024 13:51:14 +0100 Subject: [gnutls-help] guile-gnutls orphaned? In-Reply-To: <87wmh9aan3.fsf@kaka.sjd.se> References: <87a5e6b5kj.fsf@kaka.sjd.se> <87wmh9aan3.fsf@kaka.sjd.se> Message-ID: On 2024-11-11 Simon Josefsson wrote: > Andreas Metzler writes: >> On 2024-11-11 Simon Josefsson wrote: >>> Andreas Metzler writes: >>>> is guile-gnutls still alive/supported? I am mainly asking because of [...] > The project is supported, Question answered. :-) [...] > Guix still uses GnuTLS 3.8.3 (plus patches) which is why Guix > didn't notice the build problem with 3.8.4+. We could add a > Debian:testing GitLab pipeline job to notice problems with the recent > GnuTLS release, if that would help? [...] Sounds like a nice enhancement. cu Andreas From simon at josefsson.org Tue Nov 12 15:07:56 2024 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 12 Nov 2024 15:07:56 +0100 Subject: [gnutls-help] guile-gnutls orphaned? In-Reply-To: (Andreas Metzler's message of "Tue, 12 Nov 2024 13:51:14 +0100") References: <87a5e6b5kj.fsf@kaka.sjd.se> <87wmh9aan3.fsf@kaka.sjd.se> Message-ID: <87v7ws8s03.fsf@kaka.sjd.se> Andreas Metzler writes: >> Guix still uses GnuTLS 3.8.3 (plus patches) which is why Guix >> didn't notice the build problem with 3.8.4+. We could add a >> Debian:testing GitLab pipeline job to notice problems with the recent >> GnuTLS release, if that would help? > [...] > > Sounds like a nice enhancement. I added a debian:testing job now, and a weekly scheduled pipeline build. https://gitlab.com/gnutls/guile/-/jobs/8335420274 This made me notice that SRP is disabled in trixie, which broke guile-gnutls 'make distcheck'. This was already reported as https://gitlab.com/gnutls/guile/-/issues/4 but it would be nice to fix that in a cleaner way. I suppose most people don't run 'make distcheck' though. /Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 255 bytes Desc: not available URL: From ludo at gnu.org Wed Nov 20 12:37:39 2024 From: ludo at gnu.org (=?utf-8?Q?Ludovic_Court=C3=A8s?=) Date: Wed, 20 Nov 2024 12:37:39 +0100 Subject: [gnutls-help] guile-gnutls orphaned? In-Reply-To: <87wmh9aan3.fsf@kaka.sjd.se> (Simon Josefsson's message of "Mon, 11 Nov 2024 19:27:44 +0100") References: <87a5e6b5kj.fsf@kaka.sjd.se> <87wmh9aan3.fsf@kaka.sjd.se> Message-ID: <87cyiqyw3g.fsf@gnu.org> Hi Simon, Andreas, Simon Josefsson skribis: > The project is supported, and I believe (Ludovic/Vivien can correct me) > that guile-gnutls is an important component in the Guix bootstrap. So I > think there are more people caring about guile-gnutls than some other > projects. Yes, as Vivien wrote, Guix and many Guile users rely on this. To me it?s okay for such a project to evolve slowly: the security-sensitive and important part is GnuTLS itself, to which Guile-GnuTLS merely provides bindings. > Of course, I'm not saying the project couldn't use more help from > volunteers. I'll be happy to rotate the release duty too. Vivien or > Ludovic, do you have cycles for this? Unfortunately I cannot commit to doing this, but I agree that it?d be nice to remove some of the burden from your shoulders. (Speaking of which, I?d like to thank you Simon for all the work you?ve been doing on Guile-GnuTLS, starting with the migration as a separate project a while back. Much appreciated!) Ludo?.