[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updating dpkg in squeeze-lts


On Wed, 2015-04-22 at 01:53:16 +0100, Ben Hutchings wrote:
> I've prepared an update to dpkg in squeeze-lts to fix CVE-2015-0840.  As
> it's a native package, I'd like to check some points with you:

> - Would you rather I numbered it as 1.15.12 or 1.15.11+nmu1?

I'm a bit uncomfortable both with doing volunteer work for the LTS
release, and getting an NMU for dpkg. But given that you've done the
heavy lifting of hunting the patches and backporting them, I'd be fine
with just merging them and releasing a tarball or a source package
(although I can as well build both i386 and amd64 binaries if needed).

If you still want to prepare it yourself, then as Holger said, please
use +deb6u1.

> - Should I do anything with the tarball produced by 'make dist'?

If going with the second option above, then
<https://wiki.debian.org/Teams/Dpkg/GitUsage> has some instructions
that apply to master, they do need some small tweaking for 1.15.x.

Also AFAIR, due to a release accident the 1.15.x series where
autoreconfed from a wheezy system, so doing so from squeeze should
produce much noise (and it would be on the unsafe side).

> - Are you happy to pull from my git branch, or should I send one or
>   multiple patches?

Given that you've done the hunting and backporting I'd like your SOB
lines on all patches, alongside
[mail@domain:\n - Brief change description. ] markers for the patches
that required changes so proper credit is given in the commit message.

> git repository:
> http://git.decadent.org.uk/gitweb?p=dpkg.git;a=summary
> http://git.decadent.org.uk/git/dpkg.git

I've only skimmed over these, but they look like the patches that
should be picked up. I can review them out properly while merging.


Reply to: