Re: Security update for ‘burn’ package
On Sun, 2009-08-23 at 15:57 +1000, Ben Finney wrote:
> The package ‘burn’ has a security bug open, assigned the alert number
> TEMP-0542329 “burn: Insecure escaping of file names”. I have been
> advised to make a bug-fix release of this package for ‘stable’ and
> send a ‘debdiff’ output to this forum.
[...]
> For this security update in ‘stable’, I have made changes that will
> *not* be incorporated into the normal history of the package; e.g. the
> ‘debian/changelog’ entry for this release will not appear in the
> Squeeze version of the package.
>
> Question: Is it correct to put changes in a stable update that
> effectively make a dead-end branch in the history?
Does the version of the package in unstable suffer from the same
security issues? If so then the only changes that will be "missing" from
the history of the package will be the changelog.
If that's what you meant, then any stable update is a new branch of the
package history as the update package will never (well, excepting the
case where the stable update has a higher version than the package in
testing) become part of the next stable release.
> Since I am not a Debian Developer, I have put the package online at
> <URL:http://mentors.debian.net/debian/pool/main/b/burn/burn_0.4.3-2.2.dsc>.
> The output of ‘debdiff burn_0.4.3-{2.1,2.2}.dsc’ is attached to this
> message.
>
> Question: Do I also need to separately seek a sponsor for this
> package to be uploaded to Debian?
For stable, or for unstable? In either case, the answer is yes - uploads
to any Debian archive must be signed by a key in the Debian keyring.
One quick query about the debdiff; apologies if I'm missing something,
but this hunk looks like a functionality change, rather than a strict
replacement:
+- if path_excluded:
+- iso.mkisofs_line_append(path_excluded + ' ')
++ for path_excluded in paths_excluded:
++ iso.mkisofs_args.extend(["-x", path_excluded])
Regards,
Adam
Reply to: