[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bugzilla 2.18-6, sarge candidate

Hi.

As I didn't have much spare time yesterday, I could not explain in
details what we've done for the 2.18 package and why an upload to sarge
is welcome.

I will here list all the changes bugzilla 2.18 will provide, in the hope
that could justify why we'd like to see that package hinting sarge.


Upstream secutiry issue fixed in 2.18 
------------------------------------------------------------------------------

Summary:     XSS in Internal Error messages in Bugzilla 2.16.7 and 2.18rc3
CVE Name:    CAN-2004-1061
Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=272620

It was previously closed in our 2.16.7-2 package thanks to an upstream
patch though (Bug #288245).


Debian changes provided by our 2.18 package  
------------------------------------------------------------------------------

One important bug fix is provided by our 2.18 package and is still open
in the 2.16 branch:

 303730 - failure creating a db with hyphens in name

The 2.18 package now handles a param file better than 2.16 did (with the
use of ucf when needed, and with an automatic upgrade of the file when
upgrading from previous version):

 305327 - bugzilla: params overwritten on upgrade

A couple of better translations are provided in the 2.18 package:

 305073 - bugzilla catalan debconf templates
 302911 - [INTL:nl] updated Dutch po-debconf translation
 (unreported fixes: New pt_BR.po, fr.po)

There are also several normal/minor bugs closed by the 2.18 package: 
 
 221985 - bugzilla doesn't include "contrib" files 
 143154 - missing documentation and scripts from contrib
 291206 - CVS files in binary package
 253651 - Package contains .arch-ids directories
 275681 - unclear wording in bugzilla.template
 
And to conlcude, I also recall the fact some some debian users strongly
requested the arrival of 2.18 in sarge:

 290775 - Please consider packaging Bugzilla 2.18


Changes in the package's source 
------------------------------------------------------------------------------

I'd like also to add that we enhanced the way the package is made in
2.18.

A huge cleaning has been done in the 2.18-5 package, and we also added the
use of dpatch in the build process in order to handle nicely patches.

There are now a set of 6 "dpatches" in the 2.18 sources, whereas the
2.16 ones have hard-coded patches in upstream sources:

 $ dpatch-list-patch
 Patches that would be applied:

 debian/patches/01_libpath.dpatch (<sukria@sukria.net>):
 Change every local paths to the Debian ones (/usr/share/bugzilla)

 debian/patches/02_checksetup.dpatch (<sukria@sukria.net>):
 Change checksetup.pl to fit our needs

 debian/patches/03_params_path.dpatch (<sukria@sukria.net>):
 Upstream patch: #291574 - Provide ability to specify location for the param file

 debian/patches/04_cookiepath.dpatch (<sukria@sukria.net>):
 Perform a check when entering a cookie path in editparams.cgi

 debian/patches/05_webpath.dpatch (<sukria@sukria.net>):
 Upstream patch: #280180 - Templates should provide a [% webpath %] token for a non standalone Bugzilla websites.

 debian/patches/06_contrib.dpatch (<sukria@sukria.net>):
 Change "shebangs" of contrib scripts to right Debian paths


Conclusion
------------------------------------------------------------------------------

For all the reasons above, I think that bugzilla 2.18-6 is worth an
upload to sarge, either for us (better debian sources, thus better
maintenance) or for our users (up-to-date upstream version).

Regards.

-- 
                                  Alexis Sukrieh <sukria@sukria.net>
                                               http://www.sukria.net

« Quidquid latine dictum sit, altum sonatur. » 
Whatever is said in Latin sounds profound.
Reply to: