[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#771208: unblock: busybox/1:1.22.0-14

27.11.2014 19:00, Cyril Brulebois wrote:
> (Putting on my d-i RM fedora.)

Thank you for your review.

> Michael Tokarev <mjt@tls.msk.ru> (2014-11-27):
>> Please unblock package busybox.  Last upload has one security bugfix
>> (CVE-2014-4607, #768945), the fix is from upstream stable branch,
>> fixing an integer overflow in lzo decompressor; it adds a Built-Using
>> control field for busybox-static variant (#768926), and also arranges
>> build system to only produce binary or indep .debs (or both), depending
>> on the d/rules target (binary-all vs binary-indep vs binary) -- this
>> is a long-standing lintian bug which I overlooked previously.
> #768926 is still not #768876:
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768926#28

Yes you're right.  I fixed it in the changelog but not in this unblock
request.  Actual bug fixed here is #768876.

> #768876 is tagged jessie-ignore so I'm really unconvinced by the
> debian/rules changes.

It is jessie-ignore just to be non-RC.  The fun with static linking
and bugs it discovered shows that proper Built-Using field is really
necessary (it is what #768876 is about).

However, bulk of d/rules changes are due to another build fix, to
stop building arch-all package (busybox-syslogd) when building
binary-arch.  Plus one block of added lines to check whenever
libc is able to produce working statically-linked executables.

> At this stage, I'd rather see the security fix only.
> Release team people, what's your take on this?



Reply to: