Bug#682683: unblock: sope/1.3.16-1
At Wed, 1 Aug 2012 22:36:12 +0200,
Julien Cristau wrote:
>
> On Tue, Jul 24, 2012 at 17:33:09 +0200, Jeroen Dekkers wrote:
>
> > The upstream release is a bugfix only release. Most of the fixes are
> > already in 1.3.15-4 because they are debian fixes submitted upstream
> > or were backported from development version to the debian package. The
> > only actual changes in the Debian package are:
> >
> > * Build with hardening enabled
> > * Addition of two methods to classes in NGLdap
> > * Change in NGObjWeb to not use a deprecated method
> >
> That doesn't sound like it fixes an important bug in the package, or am
> I missing something?
Although enabling hardening doesn't fix an important bug, it does add
a lot of protection against security bugs. It's a release goal and if
I'm right changes for release goals are also allowed. SOPE includes a
lot of old code that deals directly with untrusted input from the web,
having hardening enabled for such code is important in my opinion.
The two new NGLdap methods are used by SOGo 1.3.16 and I'm not sure
that it works correctly when used with an older SOPE version that
doesn't have these methods. It's not really a tested/supported
configuration and I would have to check that if the added hardening
isn't a reason to unblock.
The deprecated method change doesn't really matter at all. I prepared
these packages with the intention that they were uploaded before the
freeze, but my sponsor didn't had the time to do the upload. That's
why it's included, but I can't see how that change can cause any
problems.
Kind regards,
Jeroen Dekkers
Reply to: