gsasl-2.2.2 released [stable]

[Simon Josefsson]

This is to announce gsasl-2.2.2, a stable release.

GNU SASL is a modern C library that implement the network security
protocol Simple Authentication and Security Layer (SASL).  The framework
itself and a couple of common SASL mechanisms are implemented.  GNU SASL
can be used by network applications for IMAP, SMTP, XMPP and other
protocols to provide authentication services.  Supported mechanisms
include CRAM-MD5, EXTERNAL, GSSAPI, ANONYMOUS, PLAIN, SECURID,
DIGEST-MD5, SCRAM-SHA-1(-PLUS), SCRAM-SHA-256(-PLUS), GS2-KRB5, SAML20,
OPENID20, LOGIN, and NTLM.

There have been 61 commits by 2 people in the 65 weeks since 2.2.1.

See the NEWS below for a brief summary.

Thanks to everyone who has contributed!
The following people contributed changes to this release:

  Daniel Macks (1)
  Simon Josefsson (60)

Happy Hacking,
Simon
==================================================================

The project's web page is available at:
  https://www.gnu.org/software/gsasl/

Manual:
  https://www.gnu.org/software/gsasl/manual/
  https://www.gnu.org/software/gsasl/manual/gsasl.html - HTML format
  https://www.gnu.org/software/gsasl/manual/gsasl.pdf - PDF format

API Reference manual:
  https://www.gnu.org/software/gsasl/reference/ - GTK-DOC HTML

Doxygen documentation:
  https://www.gnu.org/software/gsasl/doxygen/ - HTML format
  https://www.gnu.org/software/gsasl/doxygen/gsasl.pdf - PDF format

For development snapshot QA analysis see:
  https://gsasl.gitlab.io/gsasl/coverage/
  https://gsasl.gitlab.io/gsasl/cyclo/
  https://gsasl.gitlab.io/gsasl/clang-analyzer/

If you need help to use GNU SASL, or want to help others, you are
invited to join our help-gsasl mailing list, see:
  https://lists.gnu.org/mailman/listinfo/help-gsasl

Here are the compressed sources and a GPG detached signature:
  https://ftp.gnu.org/gnu/gsasl/gsasl-2.2.2.tar.gz
  https://ftp.gnu.org/gnu/gsasl/gsasl-2.2.2.tar.gz.sig

Here is minimal source-only "git archive" sources:
  https://ftp.gnu.org/gnu/gsasl/gsasl-v2.2.2-src.tar.gz
  https://ftp.gnu.org/gnu/gsasl/gsasl-v2.2.2-src.tar.gz.sig

Here are Sigsum Proofs:
  https://ftp.gnu.org/gnu/gsasl/gsasl-2.2.2.tar.gz.proof
  https://ftp.gnu.org/gnu/gsasl/gsasl-v2.2.2-src.tar.gz.proof

Use a mirror for higher download bandwidth:
  https://www.gnu.org/order/ftp.html

Here are the SHA1 and SHA256 checksums:

  8a845b7ec78e5f27bf69438074ad23867c00d4fe  gsasl-2.2.2.tar.gz
  QejkQmSOzK9kWdmtk9SxhTC5bI6vUOPzQlMu8nXv87o=  gsasl-2.2.2.tar.gz

  99dc5d5d991e3ab7e2a17fdf70167717a8ae9ee2  gsasl-v2.2.2-src.tar.gz
  lg8/tscZUEpLMvEGUTpHbuII1IRXEZQsIqZsSFIjbB4=  gsasl-v2.2.2-src.tar.gz

Verify the base64 SHA256 checksum with cksum -a sha256 --check
from coreutils-9.2 or OpenBSD's cksum since 2007.

Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify gsasl-2.2.2.tar.gz.sig

The signature should match the fingerprint of the following key:

  pub   ed25519 2019-03-20 [SC]
        B1D2 BD13 75BE CB78 4CF4  F8C4 D73C F638 C53C 06BE
  uid   Simon Josefsson <simon@josefsson.org>

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key simon@josefsson.org

  gpg --recv-keys 51722B08FE4745A2

  wget -q -O- 
'https://savannah.gnu.org/project/release-gpgkeys.php?group=gsasl&download=1' | 
gpg --import -

As a last resort to find the key, you can try the official GNU
keyring:

  wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
  gpg --keyring gnu-keyring.gpg --verify gsasl-2.2.2.tar.gz.sig

Use the .proof files to verify the Sigsum proof.  These files are like
signatures but with extra transparency: you can cryptographically verify
that every signature is logged in a public append-only log, so you can
say with confidence what signatures exists.  This makes hidden releases
no longer deniable for the same public key.

Releases are Sigsum-signed with the following public key:

  cat <<EOF > jas-sigsum-key.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzCFcHHrKzVSPDDarZPYqn89H5TPaxwcORgRg+4DagE
EOF

Run a command like this to verify downloaded artifacts:

  wget -q -Otrust.txt https://gnu.org/s/gsasl/sigsum-policy-20250309.txt
  sigsum-verify -k jas-sigsum-key.pub -p trust.txt \
        gsasl-2.2.2.tar.gz.proof < gsasl-2.2.2.tar.gz

You may learn more about Sigsum concepts and find instructions how to
download the tools here: https://www.sigsum.org/getting-started/

This release is based on the gsasl git repository, available as

  git clone https://git.savannah.gnu.org/git/gsasl.git

with commit 50df5266e709c6e2cc4d3e7d95e6f7444578b7e6 tagged as v2.2.2.

For a summary of changes and contributors, see:

  https://git.sv.gnu.org/gitweb/?p=gsasl.git;a=shortlog;h=v2.2.2

or run this command from a git-cloned gsasl directory:

  git shortlog v2.2.1..v2.2.2

This release was bootstrapped with the following tools:
  Gnulib 2025-02-01 c89cd2fbd3b9f3d7c5a146247256599714c91ec7
  Autoconf 2.71
  Automake 1.16.5
  Libtoolize 2.4.7
  Make 4.3
  Makeinfo 7.1.1
  Help2man 1.49.2
  Gperf 3.1
  Gengetopt 2.23
  Gtkdocize 1.34.0
  Tar 1.34
  Gzip 1.13
  Guix 744cf07005745312ccddb549bb1bab5ab7031106

NEWS

* Noteworthy changes in release 2.2.2 (2025-03-30) [stable]

** The release tarball is now reproducible.
Builds on the following pairs of systems are tested continuously in
GitLab CI/CD to assert that the tarball is identical: Trisquel 11
against Ubuntu 22.04, PureOS 10 against Debian 11, Devuan 5 against
Debian 12, AlmaLinux 8 against RockyLinux 8, and AlmaLinux 9 against
RockyLinux 9.  There are still minor variations between non-similar
platforms, depending on the different versions of the bootstrapping
tools used.  For example, a tarball generated on a Trisquel 11
(derived from Ubuntu 22.04) system should be identical to a tarball
from a Ubuntu 22.04 system, but will not be identical to a tarball
generated on a PureOS 10 system which uses different bootstrapping
tool versions.  The release archive itself was prepared using Guix.

** We publish a minimal source-only tarball generated by 'git archive'.
This tarball only contains the files stored in version controlled
sources, and no auxiliary files.  The source-only tarball may be
reproduced with Git 2.49.0 from Guix.  If something results in the
'git archive' format changing again, the tarball can only be
reproduced using an earlier system.  The git version in AlmaLinux 8,
AlmaLinux 9, RockyLinux 8, RockyLinux 9, Devuan 5, Debian 12 and
Ubuntu 24.04 all produce the same identical 'git archive' tarball.
The git version used on Debian 11, PureOS 10, Trisquel 11 and Ubuntu
22.04 produce another identical tarball.  These two 'git archive'
outputs are not the same, due to how Git works.  The release archive
itself was prepared using Guix.

** The release tarball uses tar --format=ustar.
Some other flags are added too, to follow these recommendations:
https://www.gnu.org/software/tar/manual/html_node/Reproducibility.html
For reference, the GNUMakefile file from gnulib add to TAR_OPTIONS:

--owner=0 --group=0 numeric-owner --sort=name

The cfg.mk file further add:

--mode=go+u,go-w --mtime=$(abs_top_srcdir)/NEWS

The modification time of NEWS is always set to last git commit time
before release, see below AC_OUTPUT in configure.ac.

We hope that the tarball produced this way is usable on all host but
please let us know if you run into troubles like unpacking the tarball
or that some generated file is rebuilt needlessly requiring some
maintainer tool that shouldn't normally be needed.

** libgsasl: Support for macOS GSS framework.
Build using --with-gssapi-impl=framework to get native GSS-API
implementation on macOS.  Patch from Daniel Macks.

** The gsasl tool now binds the "gnulib" domain for translations.

** The gsasl.h header #include's sys/types.h instead of unistd.h for ssize_t.

** Update gnulib files and build fixes.

signature.asc
Description: PGP signature