(In reply to Kai Engert (:KaiE:) from comment #0)
- which Botan version do you recommend to use with v0.15.1?
In CI we run 2.17.3 now and didn't see any problems yet. According to Botan's changelog it is worth updating to 2.17.3 as there were some ECDSA/DH/CVE fixes.
- do you have a list of major changes since v0.14.0 ?
We have CHANGELOG.md in the release branch (and in mater branch now as well), all non-internal changes are described there.
Since v14.0 there were mostly improvements/fixes of bugs, including ones reported via Bugzilla. I'll update all corresponding tickets with 'fixed in 0.15.1' message.
- are there areas in which you see risk for regressions?
I would not call that regression, but there could be changes in key expiration times reporting for keys with multiple userids/complicated structure, as now direct-key/primary userid signatures have higher priority for key expiration check. Previously we checked the latest valid self-signature. Combined with the issue https://github.com/rnpgp/rnp/issues/1497 in some cases (say, secondary userid sig was fresher then primary, and user changed key expiration via Thunderbird) now RNP may return another key expiration value. So user will need to extend key expiration again.
Also your patch for disabling weak hashes would need some minor changes.
This all I can remember for now, but if find out something else - will update the ticket.