Re: Wheezy update of unrar-nonfree?
Hi there!
Seems there's a little confusion regarding the "rar" and
"unrar-nonfree" packages.
the "rar" package is basically packaged binaries for rar. This is the
only way that rarlabs provides them - and should be considered the
"source". This is at 5.5.b4 as far as I can see from the watch file
(www.rarlab.com seems down for me currently?)
The package that has source code (unrar-nonfree) is at version 5.5.5
on rarlabs, and is a seperate thing (only un-compresses things,
whereas the "rar" package also compresses them)
As rar is a binary only package, it's likely to cause issues as it'll
be linked against newer libraries, and the libc link means it can't be
redistributed as statically linked.
unrar-nonfree should be easily backportable - it's just the "rar"
version as it's binary only that might be problematic.
I'm a little swamped under with work at the moment - so I'll see what
I can do - but I can't promise when - so please, don't let that stop
anyone who wishes to take this on - and I can try and give any info
that might help to them (I believe both are LowNMU).
For reference -
https://qa.debian.org/cgi-bin/watch?pkg=rar
https://qa.debian.org/cgi-bin/watch?pkg=unrar-nonfree
On 22 June 2017 at 14:20, Raphael Hertzog <hertzog@debian.org> wrote:
> Hello Martin,
>
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of unrar-nonfree:
> https://security-tracker.debian.org/tracker/source-package/unrar-nonfree
>
> We know that the package is non-free and thus not generally part of what
> Debian is supporting on stable releases but we have a fair number of LTS
> sponsors using it and it would thus be nice to see it fixed in
> wheezy-security and in jessie/stretch (through
> jessie-proposed-updates/stretch-proposed-updates since the security team
> is not supporting non-free packages).
>
> To avoid spending too much time on backporting fixes, we're open to
> just pushing the latest upstream release in wheezy-security.
> Unfortunately, the fix to this issue seems to be only in beta versions so
> far and those beta version did not yet have any corresponding source code
> release? Can your confirm this?
>
> On http://www.rarlab.com/rar_add.htm I only see version 5.5.5 with source
> code (which is newer than what is unstable BTW)... while
> http://www.rarlab.com/download.htm mentions version 5.50 beta 4. The
> former is UnRAR while the latter is RAR but I somehow hope that they are
> maintained in sync. If they are different, where can we see the changelog
> in the UnRAR release?
>
> In any case, if you plan to handle the wheezy update, please follow the
> workflow we have defined here:
> https://wiki.debian.org/LTS/Development
>
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
>
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
>
> You can also opt-out from receiving future similar emails in your
> answer and then the LTS Team will take care of unrar-nonfree updates
> for the LTS releases.
>
> Thank you very much.
>
> Raphaël Hertzog,
> on behalf of the Debian LTS team.
>
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
> --
> Raphaël Hertzog ◈ Debian Developer
>
> Support Debian LTS: https://www.freexian.com/services/debian-lts.html
> Learn to master Debian: https://debian-handbook.info/get/
Reply to: