[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updating dpkg in squeeze-lts

On Thu, 2015-04-23 at 07:10 +0200, Guillem Jover wrote:
> Hi!
> On Wed, 2015-04-22 at 01:53:16 +0100, Ben Hutchings wrote:
> > I've prepared an update to dpkg in squeeze-lts to fix CVE-2015-0840.  As
> > it's a native package, I'd like to check some points with you:
> > - Would you rather I numbered it as 1.15.12 or 1.15.11+nmu1?
> I'm a bit uncomfortable both with doing volunteer work for the LTS
> release, and getting an NMU for dpkg. But given that you've done the
> heavy lifting of hunting the patches and backporting them, I'd be fine
> with just merging them and releasing a tarball or a source package
> (although I can as well build both i386 and amd64 binaries if needed).

I'd prefer if you merged and released the tarball, then I can do the

> If you still want to prepare it yourself, then as Holger said, please
> use +deb6u1.
> > - Should I do anything with the tarball produced by 'make dist'?
> If going with the second option above, then
> <https://wiki.debian.org/Teams/Dpkg/GitUsage> has some instructions
> that apply to master, they do need some small tweaking for 1.15.x.
> Also AFAIR, due to a release accident the 1.15.x series where
> autoreconfed from a wheezy system, so doing so from squeeze should
> produce much noise (and it would be on the unsafe side).

I noticed that and tried autoreconf'ing from wheezy.  It still resulted
in some changes in generated files, though none in the configure script
aside from the package version.

> > - Are you happy to pull from my git branch, or should I send one or
> >   multiple patches?
> Given that you've done the hunting and backporting I'd like your SOB
> lines on all patches, alongside
> [mail@domain:\n - Brief change description. ] markers for the patches
> that required changes so proper credit is given in the commit message.

OK, I've rebased and added that.

All of the cherry-picks conflicted in debian/changelog, but I didn't
bother to mention that.  Aside from that they were mostly clean.

I also dropped the 'release' commit so you'll need to finalise the
changelog as you see fit.


> > git repository:
> > http://git.decadent.org.uk/gitweb?p=dpkg.git;a=summary
> > http://git.decadent.org.uk/git/dpkg.git
> I've only skimmed over these, but they look like the patches that
> should be picked up. I can review them out properly while merging.
> Thanks,
> Guillem

Ben Hutchings
I'm not a reverse psychological virus.  Please don't copy me into your sig.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: