Re: requesting permission for tiff upload with security patch
Jay Berkenbilt wrote:
> Luk Claes <luk@debian.org> wrote:
>
>> Jay Berkenbilt wrote:
>>> I've prepared new tiff packages for stable-security and
>>> testing-security that include a patch to fix a recently discovered
>>> security problem. With the permission of the release team, I would
>>> like to go ahead and upload to unstable as well. The version would be
>>> 3.8.2-11, and I would upload with urgency high because of the security
>>> update. The change is small and safe.
>>>
>>> In the interest of full disclosure, I should mention that I also
>>> switched my patch management from cdbs simple-patchsys to quilt. I
>>> have done thorough testing to make sure that the package is otherwise
>>> the same, so I believe this is safe to upload to unstable even at this
>>> late date.
>>>
>>> I won't take any action without an okay from the release team.
>> Please upload.
>>
>> One remark though: We rather not see the switch of the patch management
>> system this close to release. If you do decide to go for the patch
>> management change we'll have to review the result of that change which
>> takes more time...
>
> I've already done the patch change, and I was going to wait until
> after the release. I can revert my packaging and upload, but it seems
> kinda silly at this point. Here is a complete list of changes that I
> made to switch to quilt:
>
> ----------------------------------------------------------------------
> diff -u tiff-3.8.2/debian/rules tiff-3.8.2/debian/rules
> --- tiff-3.8.2/debian/rules
> +++ tiff-3.8.2/debian/rules
> @@ -9,7 +9,7 @@
>
> # Include cdbs rules files.
> include /usr/share/cdbs/1/rules/tarball.mk
> -include /usr/share/cdbs/1/rules/simple-patchsys.mk
> +include /usr/share/cdbs/1/rules/patchsys-quilt.mk
> include /usr/share/cdbs/1/rules/debhelper.mk
> include /usr/share/cdbs/1/class/autotools.mk
>
> diff -u tiff-3.8.2/debian/control tiff-3.8.2/debian/control
> --- tiff-3.8.2/debian/control
> +++ tiff-3.8.2/debian/control
> @@ -3,8 +3,8 @@
> Priority: optional
> Maintainer: Jay Berkenbilt <qjb@debian.org>
> Uploaders: Josip Rodin <joy-packages@debian.org>
> -Build-Depends: cdbs, debhelper (>= 4.1.0), zlib1g-dev, libjpeg62-dev, libxmu-dev, libglu1-mesa-dev, freeglut3-dev, libxi-dev
> -Standards-Version: 3.7.3
> +Build-Depends: cdbs, quilt, debhelper (>= 4.1.0), zlib1g-dev, libjpeg62-dev, libxmu-dev, libglu1-mesa-dev, freeglut3-dev, libxi-dev
> +Standards-Version: 3.8.0
> Homepage: http://libtiff.maptools.org
>
> Package: libtiff4
>
> ----------------------------------------------------------------------
>
> In addition, I renamed a few of the patches, normalized everything to
> -p1, and created a series file. I also added a README.source.
>
> To test this, I did an extract of the sources for the 3.8.2-10+lenny1
> and 3.8.2-11 packages, ran ./debian/rules patch in each, and diffed
> the resulting build-tree directories. The only differences:
>
> % diff -ur build-tree ../../3.8.2-10+lenny1/tiff-3.8.2/build-tree
> Only in build-tree/tiff-3.8.2: .pc
>
> I'm hoping that, given this, you'll be okay with my going ahead and
> uploading the quilt/standards 3.8.0 version. If not, I can revert
> this change and reapply it after the upload. Alternatively, I can use
> urgency=medium or urgency=low instead of urgency=high.
Please upload.
Cheers
Luk
Reply to: