On Fri, May 06, 2005 at 10:11:40AM +0200, Alexis Sukrieh wrote: > As I didn't have much spare time yesterday, I could not explain in > details what we've done for the 2.18 package and why an upload to sarge > is welcome. > I will here list all the changes bugzilla 2.18 will provide, in the hope > that could justify why we'd like to see that package hinting sarge. > Upstream secutiry issue fixed in 2.18 > ------------------------------------------------------------------------------ > Summary: XSS in Internal Error messages in Bugzilla 2.16.7 and 2.18rc3 > CVE Name: CAN-2004-1061 > Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=272620 > It was previously closed in our 2.16.7-2 package thanks to an upstream > patch though (Bug #288245). Er, then why list it here when we have 2.16.7-5 in testing already? We need info about things that are wrong with the version in testing, not about non-issues. > Debian changes provided by our 2.18 package > ------------------------------------------------------------------------------ > One important bug fix is provided by our 2.18 package and is still open > in the 2.16 branch: > 303730 - failure creating a db with hyphens in name > The 2.18 package now handles a param file better than 2.16 did (with the > use of ucf when needed, and with an automatic upgrade of the file when > upgrading from previous version): > 305327 - bugzilla: params overwritten on upgrade To backport the two fixes above to 2.16, how much time would be required? How large would they be? > A couple of better translations are provided in the 2.18 package: > 305073 - bugzilla catalan debconf templates > 302911 - [INTL:nl] updated Dutch po-debconf translation > (unreported fixes: New pt_BR.po, fr.po) Which are obviously easy to get in via t-p-u. > And to conlcude, I also recall the fact some some debian users strongly > requested the arrival of 2.18 in sarge: > 290775 - Please consider packaging Bugzilla 2.18 Users ask for many things that it's not feasible for us to give them. The fact is that the diff between 2.16.7-5 and 2.18-6 is 197,000 lines long; while I accept that many of these changes are improvements, there is also the possibility of regressions, and bugzilla 2.18 did not get uploaded to unstable until April 18 -- i.e., 17 days after our "last call" email went out on d-d-a, and providing only 16 days of testing of this upstream branch by users of unstable prior to the freeze (and with four uploads during that period, no less). I understand why you are arguing for its inclusion, and I realize (from comments on IRC) that you've put a lot of effort into trying to get 2.18 ready for sarge, but I'm afraid I just don't see that it's ready in time, sorry. -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature