Re: Updating dpkg in squeeze-lts

To: Guillem Jover <guillem@debian.org>
Cc: debian-dpkg@lists.debian.org, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Updating dpkg in squeeze-lts
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 27 Apr 2015 01:11:33 +0100
Message-id: <[🔎] 1430093493.4063.153.camel@decadent.org.uk>
In-reply-to: <[🔎] 20150423051025.GA25515@gaara.hadrons.org>
References: <[🔎] 1429663996.15560.13.camel@decadent.org.uk> <[🔎] 20150423051025.GA25515@gaara.hadrons.org>

On Thu, 2015-04-23 at 07:10 +0200, Guillem Jover wrote:
> Hi!
> 
> On Wed, 2015-04-22 at 01:53:16 +0100, Ben Hutchings wrote:
> > I've prepared an update to dpkg in squeeze-lts to fix CVE-2015-0840.  As
> > it's a native package, I'd like to check some points with you:
> 
> > - Would you rather I numbered it as 1.15.12 or 1.15.11+nmu1?
> 
> I'm a bit uncomfortable both with doing volunteer work for the LTS
> release, and getting an NMU for dpkg. But given that you've done the
> heavy lifting of hunting the patches and backporting them, I'd be fine
> with just merging them and releasing a tarball or a source package
> (although I can as well build both i386 and amd64 binaries if needed).

I'd prefer if you merged and released the tarball, then I can do the
rest.

> If you still want to prepare it yourself, then as Holger said, please
> use +deb6u1.
> 
> > - Should I do anything with the tarball produced by 'make dist'?
> 
> If going with the second option above, then
> <https://wiki.debian.org/Teams/Dpkg/GitUsage> has some instructions
> that apply to master, they do need some small tweaking for 1.15.x.
> 
> Also AFAIR, due to a release accident the 1.15.x series where
> autoreconfed from a wheezy system, so doing so from squeeze should
> produce much noise (and it would be on the unsafe side).

I noticed that and tried autoreconf'ing from wheezy.  It still resulted
in some changes in generated files, though none in the configure script
aside from the package version.

> > - Are you happy to pull from my git branch, or should I send one or
> >   multiple patches?
> 
> Given that you've done the hunting and backporting I'd like your SOB
> lines on all patches, alongside
> [mail@domain:\n - Brief change description. ] markers for the patches
> that required changes so proper credit is given in the commit message.

OK, I've rebased and added that.

All of the cherry-picks conflicted in debian/changelog, but I didn't
bother to mention that.  Aside from that they were mostly clean.

I also dropped the 'release' commit so you'll need to finalise the
changelog as you see fit.

Ben.

> > git repository:
> > http://git.decadent.org.uk/gitweb?p=dpkg.git;a=summary
> > http://git.decadent.org.uk/git/dpkg.git
> 
> I've only skimmed over these, but they look like the patches that
> should be picked up. I can review them out properly while merging.
> 
> Thanks,
> Guillem
> 
> 

-- 
Ben Hutchings
I'm not a reverse psychological virus.  Please don't copy me into your sig.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- Updating dpkg in squeeze-lts
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: Updating dpkg in squeeze-lts
  - From: Guillem Jover <guillem@debian.org>

Prev by Date: Jenkins build is back to normal : dpkg-source #346
Next by Date: Re: Preliminary review of dpkg-genbuildinfo
Previous by thread: Re: Updating dpkg in squeeze-lts
Next by thread: Jenkins build is back to normal : dpkg-source #346
Index(es):
- Date
- Thread