Re: Bug#771208: unblock: busybox/1:1.22.0-14
27.11.2014 19:00, Cyril Brulebois wrote:
> (Putting on my d-i RM fedora.)
Thank you for your review.
> Michael Tokarev <email@example.com> (2014-11-27):
>> Please unblock package busybox. Last upload has one security bugfix
>> (CVE-2014-4607, #768945), the fix is from upstream stable branch,
>> fixing an integer overflow in lzo decompressor; it adds a Built-Using
>> control field for busybox-static variant (#768926), and also arranges
>> build system to only produce binary or indep .debs (or both), depending
>> on the d/rules target (binary-all vs binary-indep vs binary) -- this
>> is a long-standing lintian bug which I overlooked previously.
> #768926 is still not #768876:
Yes you're right. I fixed it in the changelog but not in this unblock
request. Actual bug fixed here is #768876.
> #768876 is tagged jessie-ignore so I'm really unconvinced by the
> debian/rules changes.
It is jessie-ignore just to be non-RC. The fun with static linking
and bugs it discovered shows that proper Built-Using field is really
necessary (it is what #768876 is about).
However, bulk of d/rules changes are due to another build fix, to
stop building arch-all package (busybox-syslogd) when building
binary-arch. Plus one block of added lines to check whenever
libc is able to produce working statically-linked executables.
> At this stage, I'd rather see the security fix only.
> Release team people, what's your take on this?