Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
On Mon, Nov 28, 2016 at 01:02:38AM -0500, Roberto C. Sánchez wrote:
> Greetings all,
> I have prepared an update of ImageMagick that takes the work Ben
> Hutchings started and incorporates patches for all remaining security
> issues which have been fixed in jessie .
> The nature of my request in this message is:
> 1. I would appreciate it if someone would take a look at the package
> (.dsc , .changes ) and see if anything appears out of place.
> The changes that Ben made combined with the changes that I made
> total about 80 patches, so I would feel more comfortable uploading
> if someone else weighed in.
If you're asking for code review posting a debdiff to the list might
help people to pick it up.
> 2. Also, I am wondering how to handle testing. After I finished
> integrating all of the patches I found that the test suite failed to
> pass (though this did not cause the package to fail to build). I
> built the last wheezy version of ImageMagick (deb7u7) and found that
> all the tests passed for that version. I carefully audited the
> patches, found some mistakes which I corrected, found some changes
> which had later changes in upstream to partially revert or correct,
> etc. After all of that, I have the unit tests passing again. Is
> there more extensive testing that I need to do?
Having the unit tests pass again is great! If there are no autopkgtests
it boils down to manual testing afterwards (e.g. by issuing typical
invocations of programs that depend on imagemagick like ikiwiki and
testing packages that link against libmagick*) and a call for testing of
built packages on the list might help too.
> 3. I am seeking advice about how to handle the issues which do not have
> a CVE ID. On the security tracker page the issues to which I refer
> appear with an ID starting with TEMP. For the moment I have
> annotated the changelog entries that correspond to specific CVE IDs
> with those IDs and, based on the pattern in Ben's changelog entries,
> I have not specifically annotated the issues. Is this the correct
> approach? When I post the DLA, would I likewise list those issues
> without specific IDs?
If there are no CVE IDs you use bugs in the Debian BTS to identify the
individual issues. Having the bugs in the BTS makes it easy to track the
status of bugs in other releases too. If there are lots of them it makes
sense to group several bugs in one report. The jessie report lists
Hope that helps,