Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Hello release team, 10 days ago I uploaded a new PostgreSQL 9.1 which re-enables build hardening. We have had this for a long time already, but it was accidentally dropped in 9.1.3-2 when I made the package compatible with both the new dpkg method and hardening-wrapper (for backports). http://packages.qa.debian.org/p/postgresql-9.1/news/20120831T084902Z.html 9.1.5-2 reintroduces hardening again. As PostgreSQL is a fairly widespread server application, its job is to process tons of strings, user data, etc., it particularly benefits from hardening, so it would be a shame to regress this in wheezy due to this oversight. The other change in -2 is a Breaks/Replaces fix for handling backports variants, and a corresponding preinst transition which only affects Ubuntu (as Debian's archives do not have Debian revisions starting with -0). The package successfully passes the upstream as well as the postgresql-common integration tests and built fine on all architectures (except hurd-i386, but it almost never built there anyway). Thank you for considering! Martin unblock postgresql-9.1/9.1.5-2 -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
diff -Nru postgresql-9.1-9.1.5/debian/changelog postgresql-9.1-9.1.5/debian/changelog --- postgresql-9.1-9.1.5/debian/changelog 2012-08-17 12:42:45.000000000 +0000 +++ postgresql-9.1-9.1.5/debian/changelog 2012-08-31 07:55:01.000000000 +0000 @@ -1,3 +1,21 @@ +postgresql-9.1 (9.1.5-2) unstable; urgency=low + + * debian/rules: Re-enable hardening functions (regression from 9.1.3-2 when + hardening-wrapper is not installed). Use "hardening=all", but disable + "pie" (as that's not compatible with -fPIC) and add -pie to CFLAGS + explicitly. Also drop the explicit "-Wl,-z,now" linker option, as this is + now implied with "all". (LP: #1039618) + * Fix upgrades from older 9.1 releases in stable Ubuntu -updates/-security + releasese. The strict "<< 9.1.4-2~" check for moving pg_basebackup.1.gz is + not sufficient, as Ubuntu stables have newer upstream releases by now. + - debian/control: Move Breaks/Replaces: from static version to + ${binary:Version}. + - debian/postgresql-9.1.preinst: Also fix the alternatives when upgrading + from a -0something version. + - (LP: #1043449) + + -- Martin Pitt <mpitt@debian.org> Fri, 31 Aug 2012 09:54:27 +0200 + postgresql-9.1 (9.1.5-1) unstable; urgency=medium * Urgency medium due to security fixes and bug fixes which should reach diff -Nru postgresql-9.1-9.1.5/debian/control postgresql-9.1-9.1.5/debian/control --- postgresql-9.1-9.1.5/debian/control 2012-08-17 12:42:45.000000000 +0000 +++ postgresql-9.1-9.1.5/debian/control 2012-08-31 07:55:01.000000000 +0000 @@ -170,8 +170,8 @@ Conflicts: postgresql (<< 7.5) Suggests: postgresql-9.1, postgresql-doc-9.1 Provides: postgresql-client -Breaks: postgresql-9.1 (<< 9.1.4-2~) -Replaces: postgresql-9.1 (<< 9.1.4-2~) +Breaks: postgresql-9.1 (<< ${binary:Version}) +Replaces: postgresql-9.1 (<< ${binary:Version}) Description: front-end programs for PostgreSQL 9.1 This package contains client and administrative programs for PostgreSQL: these are the interactive terminal client psql and diff -Nru postgresql-9.1-9.1.5/debian/postgresql-9.1.preinst postgresql-9.1-9.1.5/debian/postgresql-9.1.preinst --- postgresql-9.1-9.1.5/debian/postgresql-9.1.preinst 2012-08-17 12:42:45.000000000 +0000 +++ postgresql-9.1-9.1.5/debian/postgresql-9.1.preinst 2012-08-31 07:55:01.000000000 +0000 @@ -2,10 +2,13 @@ set -e # 9.1.4-2 moved pg_basebackup manpage from server to client; we need to rebuild -# the alternatives for postmaster to drop pg_basebackup.1.gz from the group -if [ "$1" = "upgrade" ] || [ "$1" = "install" ] && \ - dpkg --compare-versions "$2" lt-nl "9.1.4-2~"; then - update-alternatives --remove postmaster.1.gz /usr/share/postgresql/9.1/man/man1/postmaster.1.gz +# the alternatives for postmaster to drop pg_basebackup.1.gz from the group; we +# also need to do this when upgrading from stable-updates/security, i. e. from +# a -0something version +if [ "$1" = "upgrade" ] || [ "$1" = "install" ]; then + if dpkg --compare-versions "$2" lt-nl "9.1.4-2~" || echo "$2" | grep -q -- '-0'; then + update-alternatives --remove postmaster.1.gz /usr/share/postgresql/9.1/man/man1/postmaster.1.gz + fi fi #DEBHELPER# diff -Nru postgresql-9.1-9.1.5/debian/rules postgresql-9.1-9.1.5/debian/rules --- postgresql-9.1-9.1.5/debian/rules 2012-08-17 12:42:45.000000000 +0000 +++ postgresql-9.1-9.1.5/debian/rules 2012-08-31 07:55:01.000000000 +0000 @@ -4,10 +4,11 @@ # support both hardening-wrapper (for backports) and dpkg-buildflags export DEB_BUILD_HARDENING = 1 +export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie DPKG_EXPORT_BUILDFLAGS = 1 -include /usr/share/dpkg/buildflags.mk -LDFLAGS+= -Wl,--as-needed -Wl,-z,now -CFLAGS+= -fPIC +LDFLAGS+= -Wl,--as-needed +CFLAGS+= -fPIC -pie # When protecting the postmaster with oom_adj=-17, allow the OOM killer to slay # the backends (http://archives.postgresql.org/pgsql-hackers/2010-01/msg00170.php)
Attachment:
signature.asc
Description: Digital signature