Re: Drop support for libqb?
On Sat, Nov 16, 2019 at 08:57:00AM +0000, Holger Levsen wrote:
> Hi Roberto,
> On Fri, Nov 15, 2019 at 08:34:52PM -0500, Roberto C. Sánchez wrote:
> > I am hesitant to file the bugs with the SRMs and to do the jessie
> > upload. I merged the 2019.11.15 tag into the jessie and stretch
> > branches. I also created a new buster branch from that tag.
> for jessie, there's no need to go via SRM, *we* are maintaining jessie
I understand that. My wording above was awkward, but it was intended to
make a distinction that I could just go ahead with the jessie upload at
> for stretch (and buster) I'm pondering whether we should do another
> upload to unstable first, as I did a commit yesterday marking chromium
> as unsupported in stretch. so I've come to conclude that I'll upload
> this right away (it will just delay buster migration by a day) as this
> change is pretty good to have for stretch.
Oh, OK. Please go ahead.
> > The buster update goes from 2019.06.13..2019.11.15_deb10u1, the stretch
> > update from debian/2019.02.01_deb9u1..2019.11.15_deb9u1 and the jessie
> > update from debian/2019.02.01_deb8u1..2019.11.15_deb8u1. The git diffs
> > look sane. However, after building each of the packages and checking
> > the debdiffs (against source packages downloaded with debsnap), the
> > stretch and jessie packages I built seem to be inducing many more
> > changes than those revealed by git diff.
> so debsnap is buggy?
I think it just reflects that the packages which were uploaded differ
from the corresponding tags in the repository. It was unexpected and
confused the path forward for me.
> and anyway, do we need branches at all? can't you just do commit based
> on master with a d/changelog entry and then save this as a tag, but not
> as a branch?
Given the way that debian-security-support works, that sounds like a
good approach. I used the branches because there were there and
appeared to have been in recent use.
> > Before I go ahead with pushing changes to salsa, uploading to jessie,
> > releasing a DLA, and filing bugs requesting approval to upload to buster
> > and stretch, I'd like to make sure that I have gone about all of this in
> > the right way.
> Good! :)
> > What is the best way to facilitate this? Should I fork
> > debian-security-support and push my proposed changes there for you to
> > review?
> if want, you can surely do this. Even without forking, just create a
> branch el_cubano/WIP or some such and I can review that.
> > Should I post source packages and debdiffs for review? Let me
> > know how I should proceed.
> or that. I'm happy to review basically anything what I can review easily.
Since it sounds like you have another updated past mine, would you be
willing to take over from here? It seems like my use of the branches
would create opportunity for future complications which could be avoided
by the single commit/tag-based approach you propose. The uncertainty
that I have surrounding this process makes me think it should be
documented. I'll make an attempt at documenting the process on the wiki
and then perhaps you can review it for accuracy.
I have attached my draft DLA text so that you can add the chromium bit
to it. Also, feel free to edit my draft text for clarity, consistency,
Roberto C. Sánchez
From: Roberto C. Sánchez <firstname.lastname@example.org>
Subject: [SECURITY] [DLA XXXX-1] debian-security-support libqb and mysql-5.5 end of life
Package : debian-security-support
Version : 2019.11.15~deb8u1
debian-security-support, the Debian security support coverage checker,
has been updated in jessie.
This marks the end of life of the libqb package in jessie. A recently
reported vulnerability against libqb which allows users to overwrite
arbitrary files via a symlink attack cannot be adequately addressed in
libqb in jessie. Upstream no longer supports this version and no
packages in jessie depend upon libqb.
We recommend that if your systems or applications depend upon the libqb
package provided from the Debian archive that you upgrade your systems
to a more recent Debian release or find an alternate and up to date
source of libqb packages.
Additionally, MySQL 5.5 is no longer supported. Upstream has ended its
support and we are unable to backport fixes from newer versions due to
the lack of patch details. Options are to switch to MariaDB 10.0 in
jessie or to a newer version of MySQL in more recent Debian releases.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS