View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0010140 | Taler | wallet-core | public | 2025-06-29 14:40 | 2025-09-28 16:49 |
| Reporter | oec | Assigned To | avalos | ||
| Priority | high | Severity | major | Reproducibility | have not tried |
| Status | assigned | Resolution | open | ||
| Product Version | 1.0 | ||||
| Target Version | post-1.0 | ||||
| Summary | 0010140: Update third party dependencies [6h] | ||||
| Description | The versions of the dependencies of the embedded code are outdated: curl: 7.86.0 vs 8.14.1 sqlite: 3.42.0 vs 3.50.2 c-ares: 1.25.0 vs 1.34.5 mbedtls: 3.3.0 vs 3.6.3.1 zlib: 1.2.13 vs 1.3 libsodium: 1.0.18 vs 1.0.20 quickjs: 2024-01-13 vs 2025-04-26 Some of them even contain security fixes, many of them recommend upgrades. | ||||
| Tags | security | ||||
|
|
@fdold I could maybe take over this, but did you do any modifications to any of those libraries? I noticed that the meson scripts are not in the official release tarballs of some of those libraries, did you write them by hand? As for qtart, however, is the situation better now in terms of separation of changes? Otherwise, I think you are the best person to tackle it, since you have a better picture of the modifications that you did to the codebase. |
|
|
Ivan: maybe start with the libraries that were not modified (or where only meson scripts were added)? |
|
|
The last quickjs upgrade actually went very smoothly. The dependencies (in the subprojects/ folder) indeed use custom meson files *unless* they already come with their own meson build system. |
|
|
Current progress: ✅ sqlite3 to 3.50.4 ✅ curl to 8.15.0 ✅ mbedtls to 3.6.4 ✅ libsodium to 1.0.20 ❌ zlib to 1.3.1 (dependency deleted) ⌛ c-ares to 1.34.5 ⌛ quickjs to 2025-04-26 |
|
|
Update: I managed to get Meson to talk to CMake, so now there is no need to maintain the hand-written Meson scripts for /all dependencies/, the only exceptions currently being curl, libsodium, and quickjs. The upgrades, however, broke the build system for iOS, which is hand-written with Xcode, so I wrote a script (./cross/package-ios.sh) that builds and packages a ready-to-use iOS multi-arch, multi-platform library that can be directly copy/pasted into Xcode. However, due to some shortcomings of Meson (linking to an external static library, namely sqlite3, that is not built by Meson itself, see https://github.com/mesonbuild/meson/issues/10927), Marc decided not to use the script, so I'll leave it to him to maintain the Xcode build system, at least until the Meson limitation is sorted out. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-06-29 14:40 | oec | New Issue | |
| 2025-06-30 14:02 | Christian Grothoff | Assigned To | => Florian Dold |
| 2025-06-30 14:02 | Christian Grothoff | Priority | normal => high |
| 2025-06-30 14:02 | Christian Grothoff | Status | new => assigned |
| 2025-06-30 14:02 | Christian Grothoff | Target Version | post-1.0 => 1.0 stretch goals |
| 2025-07-07 23:23 | avalos | Note Added: 0025438 | |
| 2025-07-09 01:59 | Florian Dold | Summary | Update third party dependencies => Update third party dependencies [6h] |
| 2025-07-09 08:52 | Christian Grothoff | Assigned To | Florian Dold => avalos |
| 2025-07-09 08:53 | Christian Grothoff | Note Added: 0025453 | |
| 2025-07-09 12:49 | Florian Dold | Note Added: 0025455 | |
| 2025-08-19 22:39 | avalos | Note Added: 0025660 | |
| 2025-08-31 19:08 | Christian Grothoff | Product Version | git (master) => 1.0 |
| 2025-08-31 19:08 | Christian Grothoff | Target Version | 1.0 stretch goals => 1.1 |
| 2025-08-31 19:16 | Christian Grothoff | Tag Attached: security | |
| 2025-08-31 19:16 | Christian Grothoff | Target Version | 1.1 => post-1.0 |
| 2025-09-27 21:42 | avalos | Note Added: 0026048 |
