Open Bug 1848104 Opened 2 years ago Updated 1 month ago

Upgrade Thunderbird to use Botan version 3 (Botan 2 is EOL)

Categories

(MailNews Core :: Security: OpenPGP, task, P1)

Product:
MailNews Core
Component:
Security: OpenPGP
Type:
task

Tracking

(Not tracked)

People

(Reporter: KaiE, Assigned: dandarnell)

References

(Blocks 1 open bug)

Details

Attachments

(5 files)

WIP: Bug 1848104 - botan 3 import
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1848104 - Add Botan moz.yaml for vendoring.
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1848104 - Update Botan to version 3. r=#thunderbuild
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1848104 - Add support for GCC 10 built on Debian 10 Buster.
48 bytes, text/x-phabricator-request
Details | Review
WIP: Bug 1848104 - Create new sysroot that supports C++20 and glibc>=2.25. r=#thunderbuild
48 bytes, text/x-phabricator-request
Details | Review

Eventually it will be necessary to upgrade Thunderbird to use version 3.x of the Botan library.

Timing is currently unknown.

Botan-2 reached EOL at the end of 2024. So this will definitely need to be worked on in the next few months.

Hit a snag.
Botan 3 uses c++20 standard. Unfortunately, the Linux builds currently are on gcc 8 with its libstdc++ (#include <span> came up first when compiling)... <span> is not available until gcc-10.1

Easiest option is to update the sysroot used to compile Thunderbird. That would mean dropping support for older Linux distributions.

Notably:

Ubuntu 20.04LTS - 2025-04
Rocky 8 - 2024-04
OpenSUSE Leap 15 (uses gcc-7!!)

(In reply to Rob Lemley [:rjl] from comment #2)

Botan-2 reached EOL at the end of 2024. So this will definitely need to be worked on in the next few months.

Given this EOL plan, we should upgrade Daily to Botan 3 soon.

Distributions will have to find ways to build.
They might be able to bring in a more modern compiler, using an optional package, for building Botan.

I have Botan 3.5 building with an updated Linux sysroot based on Debian Bullseye. The sysroot is not final yet, but it's not needed for local builds. I have a little more to sort out tomorrow with my patches. The Botan patch is too big for phab; I need to trim it down more and split it up first.

https://botan.randombit.net/#botan2 is EOL now. Seems we need to urgently update our version.

Priority: -- → P1
Summary: Upgrade Thunderbird to use Botan version 3 → Upgrade Thunderbird to use Botan version 3 (Botan 2 is EOL)
Type: enhancement → task
Duplicate of this bug: 1847872

Rob, is it possible to give this a higher priority?
Based on comment 6 I understand you're already working on it, so assigning it to you.

Assignee: nobody → rob
Flags: needinfo?(corey)

This is a priority for us. I'm transferring to Daniel and will work with him on it.

Flags: needinfo?(corey)
Assignee: rob → daniel

Looking at the changelog, Botan has begun to make use of the C++20 feature "concepts" since 2023,
and I see this change in early 2024
"Remove workarounds for compilers that didn't implement C++20 concepts"
https://github.com/randombit/botan/commit/7d8ccb7ffcdac144d7d40e6f432a8c0b7530f865

I've asked whether the developers of Botan for thoughts, whether it might be feasible to remove the use of that language feature in a local patch, but I'm not very optimistic that it would be simple.
https://github.com/randombit/botan/issues/4823

As I understand it, the Firefox toolchain doesn't yet provide the libstdc++10 and doesn't yet offer the C++20 language features.
If it takes more time until Firefox upgrades, I guess the question is, could it be made optionally available, only for compiling and linking with the RNP/Botan library?

Given that our code uses a C-only interface into the RNP shared library, that might allow sufficient isolation. It would be necessary to bring the newer C++ compiler and library to any other components.

Not sure whether this helps, but RNP uses Botan backend through the C FFI interface.

(In reply to Nickolay Olshevsky from comment #12)

Not sure whether this helps, but RNP uses Botan backend through the C FFI interface.

Thanks Nickolay, RNP is already isolated from the symbol linking space of the rest of Thunderbird. But nevertheless, we must find a way to bring the necessary compiler and libstdc++ versions into the deliberately old build environment. The old environment is used to create the binaries the Thunderbird/Firefox produce. The desire is that those binaries work on old operating systems, avoiding dependencies on recent libraries, and as I understand it, the easiest way to achieve that to build against older library versions. I'm not a build engineer, so I cannot give the full picture.

Just some tracking links:

Bug 1880779 and bug 1768116 track the request to use newer libstdc++10 and c++20 compilation.
Bug 1727014 might be interesting as an example of what was done in the past to bring in newer symbols required by RNP.

File build/unix/stdc++compat/stdc++compat.cpp has a comment that explains:
"This file adds the necessary compatibility tricks to avoid symbols with version GLIBCXX_3.4.20 and bigger, keeping binary compatibility with libstdc++ 4.8.1."

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: