libidn2-2.3.8 released [stable]

[Simon Josefsson via Announcements and Requests for Help from the GNU project and the Free Software Foundation]

This is to announce libidn2-2.3.8, a stable release.

Libidn2 is a free software implementation of IDNA2008, Punycode and
Unicode TR46.  Its purpose is to encode and decode internationalized
domain names.

There have been 44 commits by 2 people in the 58 weeks since 2.3.7.

See the NEWS below for a brief summary.

Thanks to everyone who has contributed!
The following people contributed changes to this release:

  Bruno Haible (1)
  Simon Josefsson (43)

Simon
 [on behalf of the libidn2 maintainers]
==================================================================

Here is the GNU libidn2 home page:
    https://www.gnu.org/software/libidn/#libidn2

Manual:
  https://www.gnu.org/software/libidn/libidn2/manual
  https://www.gnu.org/software/libidn/libidn2/manual/libidn2.html
  https://www.gnu.org/software/libidn/libidn2/manual/libidn2.pdf

API Reference manual:
  https://www.gnu.org/software/libidn/libidn2/reference/libidn2-idn2.h.html
  https://www.gnu.org/software/libidn/libidn2/reference/libidn2.pdf

Here are the compressed sources and a GPG detached signature:
  https://ftp.gnu.org/gnu/libidn/libidn2-2.3.8.tar.gz
  https://ftp.gnu.org/gnu/libidn/libidn2-2.3.8.tar.gz.sig

Here is minimal source-only "git archive" sources:
  https://ftp.gnu.org/gnu/libidn/libidn2-v2.3.8-src.tar.gz
  https://ftp.gnu.org/gnu/libidn/libidn2-v2.3.8-src.tar.gz.sig

Here are Sigsum Proofs:
  https://ftp.gnu.org/gnu/libidn/libidn2-2.3.8.tar.gz.proof
  https://ftp.gnu.org/gnu/libidn/libidn2-v2.3.8-src.tar.gz.proof

Use a mirror for higher download bandwidth:
  https://www.gnu.org/order/ftp.html

Here are the SHA1 and SHA256 checksums:

  06fe2744b016dfc4a58acc3699644e290eb3d37a  libidn2-2.3.8.tar.gz
  9VeRG/YXFiHh9y/zX1sYJbs1tS7UUyXc3ukx5dPAeHo=  libidn2-2.3.8.tar.gz

  87921bc183615550cba1ea88ac3235e045cfffc5  libidn2-v2.3.8-src.tar.gz
  u60WeNNdKOLGLmoldwg4KUYUAtnke5CHkcVTFKXLXgQ=  libidn2-v2.3.8-src.tar.gz

Verify the base64 SHA256 checksum with cksum -a sha256 --check
from coreutils-9.2 or OpenBSD's cksum since 2007.

Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify libidn2-2.3.8.tar.gz.sig

The signature should match the fingerprint of the following key:

  pub   ed25519 2019-03-20 [SC]
        B1D2 BD13 75BE CB78 4CF4  F8C4 D73C F638 C53C 06BE
  uid   Simon Josefsson <si...@josefsson.org>

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key si...@josefsson.org

  gpg --recv-keys 51722B08FE4745A2

  wget -q -O- 
'https://savannah.gnu.org/project/release-gpgkeys.php?group=libidn&download=1' 
| gpg --import -

As a last resort to find the key, you can try the official GNU
keyring:

  wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
  gpg --keyring gnu-keyring.gpg --verify libidn2-2.3.8.tar.gz.sig

Use the .proof files to verify the Sigsum proof.  These files are like
signatures but with extra transparency: you can cryptographically verify
that every signature is logged in a public append-only log, so you can
say with confidence what signatures exists.  This makes hidden releases
no longer deniable for the same public key.

Releases are Sigsum-signed with the following public key:

  cat <<EOF > jas-sigsum-key.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzCFcHHrKzVSPDDarZPYqn89H5TPaxwcORgRg+4DagE
EOF

Run a command like this to verify downloaded artifacts:

  wget -q -Otrust.txt https://gnu.org/s/libidn/sigsum-policy-20250309.txt
  sigsum-verify -k jas-sigsum-key.pub -p trust.txt \
        libidn2-2.3.8.tar.gz.proof < libidn2-2.3.8.tar.gz

You may learn more about Sigsum concepts and find instructions how to
download the tools here: https://www.sigsum.org/getting-started/

This release is based on the libidn2 git repository, available as

  git clone https://gitlab.com/libidn/libidn2.git

with commit 9bc3ac79e2ae81ade245a0e308bf13c981efaa83 tagged as v2.3.8.

For a summary of changes and contributors, see:

  https://gitlab.com/libidn/libidn2/-/compare/v2.3.7...v2.3.8

or run this command from a git-cloned libidn2 directory:

  git shortlog v2.3.7..v2.3.8

This release was bootstrapped with the following tools:
  Gnulib 2025-02-01 c89cd2fbd3b9f3d7c5a146247256599714c91ec7
  Autoconf 2.71
  Automake 1.16.5
  Libtoolize 2.4.7
  Make 4.3
  Makeinfo 7.1.1
  Help2man 1.49.2
  Gperf 3.1
  Gengetopt 2.23
  Gtkdocize 1.34.0
  Tar 1.34
  Gzip 1.13
  Guix f1c1b1c08d8cc0f9466690c2911acdf6a75b27b4

NEWS

* Noteworthy changes in release 2.3.8 (2025-03-08) [stable]

** Unicode 15.1.0 table updates.
Now U+19DA is DISALLOWED again (see version 2.3.4 release notes).

** The release tarball is now reproducible.

** We publish a minimal source-only tarball generated by 'git archive'.

** The release tarball uses tar --format=ustar.

** The idn2 tool now binds the "gnulib" domain for translations.

** Update gnulib files and various build/maintenance fixes.

Happy Hacking,
Simon

signature.asc
Description: PGP signature