Bug#621840: lintian: please warning when urgency in changes does not match the changelog
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 2011-04-09 19:20, Russ Allbery wrote:
> Niels Thykier <niels@thykier.net> writes:
>
>> Looking at two uploads today ([1], [2]) I noticed that the urgency of
>> the newest entry of the changelog was low, but the changes had urgency
>> high or critical. The high/critical urgency was most likely inherited
>> from earlier entries.
>
>> If the package is truly includes uploads of high/critical nature that
>> has not been included in an upload to Debian before, I think it would
>> be a good idea ask the maintainer to bump the urgency of the first
>> upload to Debian as well.
>> I hope this can avoid cases where people include earlier changelog
>> entries (intentionally or by mistake), which causes the urgency to be
>> inflated by earlier entries.
>
> So you would advocate both that and removing the functionality in
> dpkg-genchanges where it uses the urgency of the highest changelog entry
> included?
>
> I actually prefer the current behavior, even though we occasionally get
> problems like those two entries. (I think they should be less common now
> that the current dpkg-genchanges, IIRC, no longer includes the entire
> changelog entry if you use a version that doesn't exist, but instead
> compares the version and only includes newer versions, which was probably
> what was intended.) It feels like it more accurately represents the
> urgency of each separate change.
>
Nope, I would keep the dpkg-genchanges behaviour to choose the highest,
but ask the developer to be explicit about it. The good thing about the
current behaviour is that if you import a bunch of changes from (e.g.)
Ubuntu and one of them closes a security issue, then as long as you
remember the -v option, then you get the right urgency.
The idea was to make Lintian nag if there is a mismatch, mostly
because if there is a security/priority issue, there is no problem in
bumping the current changelog entry (to confirm it) and if there is not
an issue, there is no reason for the urgency to be inflated (causing
reduced time before testing migration).
By all means, if you feel that the severity and the amount of this kind
of issues are neglect-able, then it is fine. I am certainly willing to
trust your judgement on this one (especially since this is the first
time I notice this issue as far as I recall).
~Niels
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCAAGBQJNoMXzAAoJEAVLu599gGRCkTcP/339gN75Kw3+BJM32PztHI0t
hCDJS6LVziFPOk+2xgsqItctMTtlngvf1VK4+ne58KTcLuY2sWePPYBUVA2k6uty
f40j8FrTGZMZpbpoWnRgdzWMww9Ys9assx9vEkp7TbFNrTVa5F+CUudM1pRS2PCW
EV1CQcQhtnECp66PJ2rtb8thT2/cvSPlY3wI5Dpc5vFbJ/dmRnzqw72SqBnhpuQN
aDbv2U6nJdHFV9/O4o8+SuhFEjHgp7oxsJZtmDYmQxxvJyzAPd6+OwalUHA7UnrU
k4ivBO9OajWDlI53A4XWR1HD8tBQ/MvnJr+R6pvlPWfxVJPET+31nAYJNDrIWBCS
0IxlnhSojwzWQoOE7M2MjAuiB1p+00TpXZLMvJ+BQ5YPkgYny2472WVJ/761d9SF
x08F9JcEiKwGd16uy0pvCQjBA5gClt1LQdG46qoFtuzRxFuVc0U4zdS/udg5tc3i
Hy24/744qKxpz8WcgUfKkgaLvx4yUWlv7DpdbOl+aLSklx9DSZgcAaFYyLZY0Msg
ZUnIr+qYYTwCxplf6smUoFPUiblWWxrACMNug61J5A2jkiKRfmMiUgAM+JFghnOs
3bSqDsG/lxM0MQTvzwRPCVF8apzMQZbHT026KRiCpiBUQ/TTmw/lkUyvZKAcY11O
qVc92WYAvFymhQaeRNQh
=gl3i
-----END PGP SIGNATURE-----
Reply to: