[SOLVED] vim-7.4.050 in Slackware 14.1 uses broken Blowfish encryption
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
vim-7.4.050 in Slackware 14.1 uses broken Blowfish encryption
Hi,
Current version of vim available in Slackware 14.1 is 7.4.050. This version uses broken implementation of Blowfish encryption algorithm. This has been known for some time. This bug is fixed in vim-7.4.399, but it's not available in Slackware 14.1.
I was wondering: is it reasonable to make a request for updating vim in Slackware 14.1 to the version where encryption is fixed? That would be just a micro version update. How do I make this kind of request? Do we have some kind of process for it?
Initially I thought I'll just build a more recent version from source. But it's not exactly user friendly... I was surprised to see that one has to manually apply hundreds of patches to get to the latest patchlevel from 7.4 branch.
So I thought that maybe it would be worthwile to update the package in the distribution, since Slackware 14.1 is still supported. Especially that it would address a well known issue.
Initially I thought I'll just build a more recent version from source. But it's not exactly user friendly... I was surprised to see that one has to manually apply hundreds of patches to get to the latest patchlevel from 7.4 branch.
You can just grab the tarball from github for that release.
But that is not a very friendly release style. Looks like pretty much every commit is turned into a release. I feel sorry for people who need to keep up with it.
There is a "releases" tab on github if you're on the main page. Once I went in there, I started browsing through their releases, but that was a fruitless endeavor, due to how many frickin releases they had. So I then checked your initial post which stated they fixed it in the .399 patch release, and I tried typing that in, which worked. I then checked their patches directory to find their highest patch for the 7.4 series and then plugged that into github, which is what I linked to.
The following is mostly unimportant, but if you download github releases frequently, it might be helpful to learn.
That actually isn't the exact link provided by github, but if you use their link (https://github.com/vim/vim/archive/v7.4.2367.tar.gz), you can get different names depending on whether you use a downloader that supports content disposition. Most (all?) browsers do, but wget, without flags, won't. If you download something that supports content disposition, it will take that link and provide you with vim-7.4.2367.tar.gz, but if you use something that doesn't support content disposition, it will use the exact name from the server, in this case, v7.4.2367.tar.gz. So, github provides a fancy way to change the name of the download by adding your own filename after the version. In this case, we want to add the program name and the version, keeping tar.gz at the end.
It should be noted that basically, git will use the repo name and the version (removing an v from before it) for the folder name of the tarball. Basically, if your github release is formatted like: https://github.com/user/repo/v1.2.3, the folder will be called repo-1.2.3/, no matter what filename you put at the end. So, if you put https://github.com/user/repo/v1.2.3/repo-custom-1.2.3.4.tar.gz, the file will be called repo-custom-1.2.3.4.tar.gz, but when you extract it, the folder will just be repo-1.2.3/.
If you end up creating a SlackBuild for SBo based on a github release, the above information can help prevent some error reports from users who may or may not being using a downloader with content disposition. It's caught me before on a few of the SlackBuilds I maintain.
Last edited by bassmadrigal; 04-08-2017 at 05:10 PM.
Reason: Fixed formatting issues...
The following is mostly unimportant, but if you download github releases frequently, it might be helpful to learn.
This is very informative. I was wondering about these things, but never found the time to investigate the details. Thank you for putting this together.
... For the 7.4 branch, they have up to the 2367 patchlevel. ...
You wish. There is no 7.4 branch. Just trunk (master).
For example "patch 1274" ("7.4.1274") adds the job functionality of vim8.
7.4.2367 is really 8.0.
Quote:
Originally Posted by bassmadrigal
... But that is not a very friendly release style. Looks like pretty much every commit is turned into a release. I feel sorry for people who need to keep up with it.
Well, that was really disrespectful of you to approach Vim developers in such fashion, I'm not surprised by the outcome of this GitHub issue.
Try to look at this from a different perspective. Vim is a very old project that's still in development (from Wikipedia: "Bram Moolenaar began working on Vim for the Amiga computer in 1988. Moolenaar first publicly released Vim (v1.14) in 1991."). It's been maintained mostly by a single person (with help from others) for more than 25 years without any monetary reward. 25 years is a big chunk of someone's life when you think about it. So try to be more grateful to this person for his ongoing commitment to this project which you seem to care about as well.
That's really a peculiar way of maintaining and releasing software...
I'll skip patching 7.4 and just build version 8.0.x like dugan suggested. It appears to be the most reasonable solution.
Geez, that makes it even worse. That's crazy that they don't keep things separate.
Quote:
Originally Posted by audriusk
Well, that was really disrespectful of you to approach Vim developers in such fashion, I'm not surprised by the outcome of this GitHub issue.
Try to look at this from a different perspective. Vim is a very old project that's still in development (from Wikipedia: "Bram Moolenaar began working on Vim for the Amiga computer in 1988. Moolenaar first publicly released Vim (v1.14) in 1991."). It's been maintained mostly by a single person (with help from others) for more than 25 years without any monetary reward. 25 years is a big chunk of someone's life when you think about it. So try to be more grateful to this person for his ongoing commitment to this project which you seem to care about as well.
So, just because he's been doing it for 25 years excuses poor coding practice? Good points were brought up that it is almost impossible to distinguish between bug fixes and new (potentially buggy/harmful) additions. Not to mention there are literally 1000s of releases to try and wade through even if they did keep stable and development separate.
Personally, I don't care too much about this, because I'm not a vim user, but for someone trying to get a known stable, patched version of vim (not just rolling the dice hoping the latest commit/release fits that criteria)... good luck.
So, just because he's been doing it for 25 years excuses poor coding practice? Good points were brought up that it is almost impossible to distinguish between bug fixes and new (potentially buggy/harmful) additions. Not to mention there are literally 1000s of releases to try and wade through even if they did keep stable and development separate.
No, of course anyone's free to criticize the current development model of Vim and suggest ways to make it better, I myself do think it could be better. But telling it in the way it was told ("the way you're doing things is stupid, you should be doing this instead") to someone who's doing it for free and giving his work away for free (and for so many years!) for anyone to use however they like won't be received with much enthusiasm, to say the least.
Quote:
Originally Posted by bassmadrigal
Personally, I don't care too much about this, because I'm not a vim user, but for someone trying to get a known stable, patched version of vim (not just rolling the dice hoping the latest commit/release fits that criteria)... good luck.
The way I see it, it's essentially a rolling release development model, with major versions being a snapshots to indicate that some milestones have been accomplished. There, now I put a more trendy term on it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.