[Package Update Request] - libzip 1.10.1

[GrahamCampbell]

What package is missing from Amazon Linux 2023? Please describe and include package name.

libzip 1.10.1

Is this an update to existing package or new package request?

Update. Current version is very old.

Is this package available in Amazon Linux 2? If it is available via external sources such as EPEL, please specify.

N/A

Any additional information you'd like to include. (use-cases, etc)

Needed by bref: https://github.com/brefphp/aws-lambda-layers/pull/122#discussion_r1328636808.

[GrahamCampbell]

cc @stewartsmith

[stewartsmith]

Are there specific features or bug fixes in the newer version that you're looking for?

We are careful around version updates and compatibility, so we want to make sure we're looking at an update for good reasons.

[GrahamCampbell]

Yes, the version of libzip here I assume is built against openssl 1, rather than openssl 3, and there are various other bug fixes that are useful to us. What's the blocker for grabbing the latest version?

[stewartsmith]

We don't ship OpenSSL 1.x at all on AL2023, it's all OpenSSL 3, so it won't be OpenSSL related.

There may not be a blocker, but compatibility for existing workloads is something we have to consider, as well as if there are broader communities coalescing around a specific version for an extended period of support (which means we can share security backports).

The question was aimed at being input to determine where looking at this should sit on a priority list. The list is roughly sorted by: security fix, migration blocker, adoption blocker, nice to have.

[GrahamCampbell]

Is the version of libzip you have built without any encryption support, then? That could be a blocker for bref, in that case.

[ozbenh]

The version we ship is what was in Fedora 34, and incidentally seems to match what is in RHEL9. It was built against OpenSSL 3 and the build log shows that the encryption self-tests passed successfully. Is there anything specific that you are missing ?

Bumping a library version is risky as it can introduce suble ABI breakage with software built against the earlier version unless we have a very high confidence that this specific library is extremely well maintained and avoids these common pitfalls. And even then, it means that software built against the newer version might not be deployable on systems running the earlier one which in the context of a distribution like ours could be problematic for our customers and ISVs.

So we would need a VERY GOOD reason to bump it before AL2023 at this stage.

[ozbenh]

Note: If there are specific bug fixes you are after, we can consider backporting them individually.

[ozbenh]

In this case for example:

$ git log v1.7.3..v1.10.1 --pretty=oneline | wc -l
532

That is a LOT of change to very carefully audit

[GrahamCampbell]

Would you consider the bump in 2023.3?

[stewartsmith]

2023.3 would be where we consider making the change that we're pretty sure is safe.

[GrahamCampbell]

Will Lambda give a choice of 2023.2 or 2023.3 as the base image, when the time comes?

[ozbenh]

We aren't even considering updating it at this point.

You haven't responded about which specific features or issues you have with the version we are shipping and we don't really have the bandwidth to do the full analysis of all the changes that went in between those two versions. What we ship today is built against openssl 3 and has crypto enabled (and passes the crypto test as part of the build-time self-test of libzip).

[GrahamCampbell]

There are lots of important changes that are useful, such as handling 4GB files, fixes to zip_name_locate due to improper handling of encoding, and support for zstd and lzma compression. I've not tried out the AWS build to be sure, however encryption is documented to not work with openssl3, and the tests passing may well be that in that old version there were no tests covering it, or they were marked to skip on openssl3.