[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of r-base?

Hi Ola,

On 13 March 2017 at 22:12, Ola Lundqvist wrote:
| Hi Dirk
| 
| I had a quick look at this but I stumbled on the version of the package.
| Why 3.1.1-1+deb3.3.3u1 ?
| And not 3.1.1u1 or even better 3.1.1+deb8u1 ?

Well ... that is exactly why I asked for review :)

The Manual suggested something like it; I would have used 3.1.1-2 or 3.1.1-1.1.

So: what precise version should I use for a rebuild?

| Do you mean that you have backported the whole 3.3.3 on top of 3.1.1 ?
| I guess not.

Most certainly not. See next paragraph.
 
| Do you happen to have a debdiff that I can have a look at as well?

I think if you diff the 3.1.1 (from stable, same directory) with what I have
built and also available there you will three precisely three changes:

- one source file updated in a total of four lines per the CVE + upstream
- two patches added to debian/ showing these changes (and sorry, I still
  don't understand / bother with quilt etc well enough to do better)
- debian/changelog 

debdiff is a tool that extracts just that given ... two changes or dsc files?

| In any case you seem to be on top of this problem. If you want any assistance
| or want me to take the oldstable update, please let me know. I'm happy to
| assist.

I definitely appreciate the help. In 20+ years of Debian it is my first (or
maybe second or third, but things used to be more informal back then when,
and surely first in "many years") 'security' patch.

Just trying to help as I can.

R is a little 'special' in that us powerusers also live off informal
backports off the CRAN mirrors, those generally just take my package from
unstable -- see https://cloud.r-project.org/bin/linux/debian/ Hence little
interaction with backports so far from my side.

Dirk

| Best regards
| 
| // Ola
| 
| 
| On 13 March 2017 at 13:28, Dirk Eddelbuettel <edd@debian.org> wrote:
| 
| 
|     On 12 March 2017 at 16:44, Dirk Eddelbuettel wrote:
|     |
|     | On 12 March 2017 at 15:48, Markus Koschany wrote:
|     | | Hello dear maintainer(s),
|     | |
|     | | the Debian LTS team would like to fix the security issues which are
|     | | currently open in the Wheezy version of r-base:
|     | | https://security-tracker.debian.org/tracker/CVE-2016-8714
|     | |
|     | | Would you like to take care of this yourself?
|     | |
|     | | If yes, please follow the workflow we have defined here:
|     | | https://wiki.debian.org/LTS/Development
|     | |
|     | | If that workflow is a burden to you, feel free to just prepare an
|     | | updated source package and send it to debian-lts@lists.debian.org
|     | | (via a debdiff, or with an URL pointing to the source package,
|     | | or even with a pointer to your packaging repository), and the members
|     | | of the LTS team will take care of the rest. Indicate clearly whether
|     you
|     | | have tested the updated package or not.
|     | |
|     | | If you don't want to take care of this update, it's not a problem, we
|     | | will do our best with your package. Just let us know whether you would
|     | | like to review and/or test the updated package before it gets released.
|     | |
|     | | You can also opt-out from receiving future similar emails in your
|     | | answer and then the LTS Team will take care of r-base updates
|     | | for the LTS releases.
|     |
|     | I can probably help as I was / am already in contact with Moritz from the
|     | security team.
|     |
|     | (But I was also traveling for a family matter and had the misfortune of
|     | seeing my server go off-grid.  Back now.)
| 
|     I managed to build a full set of the Debian stable version 3.1.1 plus two
|     small and minimal patches.
| 
|     See here for all files:
| 
|       http://dirk.eddelbuettel.com/tmp/cve/
| 
|     I am still awaiting feedback on this and haven't uploaded any to Debian
|     yet.
|    
|     Dirk
|    
| 
|     | Dirk
|     |
|     | | Thank you very much.
|     | |
|     | | Markus Koschany,
|     | |   on behalf of the Debian LTS team.
|     | |
|     | | PS: A member of the LTS team might start working on this update at
|     | | any point in time. You can verify whether someone is registered
|     | | on this update in this file:
|     | | https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?
|     view=markup
|     |
|     | --
|     | http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
| 
|     --
|     http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
| 
| 
| 
| 
| 
| --
|  --- Inguza Technology AB --- MSc in Information Technology ----
| /  ola@inguza.com                    Folkebogatan 26            \
| |  opal@debian.org                   654 68 KARLSTAD            |
| |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
| \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
|  ---------------------------------------------------------------
| 

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
Reply to: