Re: backported gnutls28 3.3.30 packages availabled for jessie LTS

To: debian-lts@lists.debian.org
Cc: Ola Lundqvist <ola@inguza.com>, Andreas Metzler <ametzler@bebt.de>
Subject: Re: backported gnutls28 3.3.30 packages availabled for jessie LTS
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Fri, 26 Oct 2018 19:20:19 -0400
Message-id: <[🔎] 87pnvwjnws.fsf@curie.anarc.at>
In-reply-to: <[🔎] 87zhv4sfv5.fsf@curie.anarc.at>
References: <[🔎] 87zhv4sfv5.fsf@curie.anarc.at>

Last call for testing on this, I'll upload the 3.3.30 package on Monday
if there's no objection until then.

On 2018-10-23 14:00:14, Antoine Beaupré wrote:
> Hi,
>
> After the lengthy discussion[1] regarding the pending security issues in
> GnuTLS (CVE-2018-10844, CVE-2018-10845, CVE-2018-10846), I have
> determined it might be simpler to just upgrade to the latest upstream
> 3.3.x version for which upstream is still providing updates. Upstream
> agrees with the approach. This removes 35 Debian-specific, backported
> patches and fixes other unrelated bugs. The API/ABI *changes*, but it
> only adds *new* symbols so the soname versions do not change.
>
> [1]: CABY6=0nu1qG9Beb5qc-mbZfubmQGxp9dbgnicFuPPpiwz+oJnw@mail.gmail.com
>
> I have uploaded the test package in the usual location here:
>
> https://people.debian.org/~anarcat/debian/jessie-lts/
>
> Direct link to the .changes file:
>
> https://people.debian.org/~anarcat/debian/jessie-lts/gnutls28_3.3.30-1+deb8u_amd64.changes
>
> The debdiff is obviously quite large so I haven't audited the whole
> diff, which would have basically meant reviewing all the releases
> between upstream 3.3.8 and 3.3.0:
>
>  2151 files changed, 65784 insertions(+), 60661 deletions(-)
>
> Note that about 3000 lines of those are from debian/patches removals
> that were now unnecessary.
>
> The upstream changelog details all the changes:
>
> https://gitlab.com/gnutls/gnutls/blob/gnutls_3_3_x/NEWS
>
> Our branch point was 3.3.8, over four years ago. The latest 3.3.30
> release was last july.
>
> It should be possible to backport the upstream patches for those issues
> as well. But considering the amount of work that represented and how
> sensitive the issue is, I felt more confident going with upstream's
> recommendation.
>
> Extensive testing is recommended. The test suite obviously passes here
> (otherwise the package does not build) but there might be other problems
> that I haven't foreseen.
>
> Thanks for any feedback.
>
> A.
> -- 
> Information is not knowledge. Knowledge is not wisdom.
> Wisdom is not truth. Truth is not beauty.
> Beauty is not love. Love is not music.
> Music is the best.      - Frank Zappa

-- 
La guerre, c'est le massacre d'hommes qui ne se connaissent pas,
au profit d'hommes qui se connaissent mais ne se massacreront pas.
                        - Paul Valéry

Reply to:

References:
- backported gnutls28 3.3.30 packages availabled for jessie LTS
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: Confusing our users - who is supporting LTS?
Next by Date: Re: Confusing our users - who is supporting LTS?
Previous by thread: Re: backported gnutls28 3.3.30 packages availabled for jessie LTS
Next by thread: Bug#911709: tomcat7: Security update broke apps with AccessControlException for org.apache.tomcat.util.http
Index(es):
- Date
- Thread