Ccing maintainer. Hi, * Goswin von Brederlow <firstname.lastname@example.org> [2008-12-14 20:14]: > I run reprepro to create a local mirror for lenny, lenny-security and > sid. Since I have it setup to put all 3 into a common pool I noticed > the following: [...] > As you can see Lenny-Security has a different orig.tar.gz than > Lenny/Sid. This creates a problem for my reprepro as it detects a > size/md5sum mismatch, aborts and sends me an angry mail. But more > importantly this prevents the security update from entering Lenny: > > 20081106164710|process-unchecked|rejected|uw-imap_2007b~dfsg-4+lenny1_amd64.changes > > Rejected: md5sum and/or size mismatch on existing copy of uw-imap_2007b~dfsg.orig.tar.gz. > Rejected: can not overwrite existing copy of 'uw-imap_2007b~dfsg.orig.tar.gz' already in the archive. This update was unfortunately a bit problematic, to make the story short uw-imap was uploaded as 7:2007b~dfsg-4 but we then requested to upload this as -3+lenny1 to mark it as a security update and to prevent broken updates in case 7:2007d~dfsg-1 gets rejected from NEW (in -3+lenny1 is also the upstream tarball change). Unfortunately -3+lenny1 was rejected on klecker because the orig.tar.gz of the old build was still lying around in the queue. As we can not use the same version twice on klecker -4+lenny1 was uploaded as a rebuild of -3+lenny1 and the upstream tarball change was overlooked in that chaos. > As it is the vulnerable version of uw-imap will remain in Lenny and > Lenny will have a known security bug that is totaly avoidable. From > the timestamp above you can see that this problem has been around over > a month. > > Does anyone care? Yes. I see two possibilities here, one option is to get 8:2007b~dfsg-1 unblocked and let this migrate to lenny (there is some weird SONAME change though) or to reupload a +lenny2 version to testing-security again. Opinions? Cheers Nico -- Nico Golde - http://www.ngolde.de - email@example.com - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Description: PGP signature