Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-72578

outdated version of sequoia-sq in c10s / RHEL 10 beta

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • rust-sequoia-sq-1.1.0-1.el10
    • No
    • Important
    • 1
    • rhel-security-crypto
    • ssg_security
    • 24
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • Crypto25Q1
    • Rebase
    • Hide
      The rust-sequoia-sq package has been updated from an unstable version 0.37 to the latest stable release 1.1.0, with a better compatibility of the {{sq}} command-line tool. See the upstream [announcement|https://sequoia-pgp.org/blog/2024/12/16/202412-sq-1.0/] for details.

      Replaced by a newer version in https://issues.redhat.com/browse/RHEL-84033
      Show
      The rust-sequoia-sq package has been updated from an unstable version 0.37 to the latest stable release 1.1.0, with a better compatibility of the {{sq}} command-line tool. See the upstream [announcement| https://sequoia-pgp.org/blog/2024/12/16/202412-sq-1.0/ ] for details. Replaced by a newer version in https://issues.redhat.com/browse/RHEL-84033
    • All
    • None

      The version of sq (rust-sequoia-sq) in c10s is quite outdated compared to ELN / Fedora:

      • current upstream: 1.1.0
      • Fedora Rawhide / ELN: 1.1.0
      • CentOS Stream 10: 0.37.0

      According to the centos-stream project on GitLab, the currently shipped version is 0.37.0, which was released seven months ago. It looks like the package in c10s has not been updated since it was initially imported:

      https://gitlab.com/redhat/centos-stream/rpms/rust-sequoia-sq/-/commits/c10s?ref_type=heads

      There were four major releases since 0.37.0, including the first "stable" 1.0.0 release (and a followup 1.1.0 release):

      https://crates.io/crates/sequoia-sq/versions

      As the maintainer of this package in Fedora (and member of the upstream project), I would strongly recommend moving to the 1.x branch.

      Releases prior to 1.0.0 contained breaking changes to the command-line interface, but future releases on the 1.x branch are now guaranteed to be backwards-compatible with the CLI as of 1.0.0 - and the 1.x branch will be maintained for an extended period of time.

      https://sequoia-pgp.org/blog/2024/12/16/202412-sq-1.0/

              dueno@redhat.com Daiki Ueno
              decathorpe_gmail Fabio Valentini (Inactive)
              Jakub Jelen Jakub Jelen
              Stanislav Zidek Stanislav Zidek
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: