Re: Security update for ‘burn’ package

To: debian-release@lists.debian.org
Subject: Re: Security update for ‘burn’ package
From: Ben Finney <ben+debian@benfinney.id.au>
Date: Wed, 26 Aug 2009 10:21:37 +1000
Message-id: <[🔎] 87fxbffmr2.fsf@benfinney.id.au>
References: <[🔎] 20090823055734.GJ5164@benfinney.id.au> <[🔎] 1251223613.2142.437.camel@kaa.jungle.aubergine.my-net-space.net>

"Adam D. Barratt" <adam@adam-barratt.org.uk> writes:

> On Sun, 2009-08-23 at 15:57 +1000, Ben Finney wrote:
> >     Question: Is it correct to put changes in a stable update that
> >     effectively make a dead-end branch in the history?
>
> Does the version of the package in unstable suffer from the same
> security issues? If so then the only changes that will be "missing"
> from the history of the package will be the changelog.
>
> If that's what you meant

Yes.

> then any stable update is a new branch of the package history as the
> update package will never (well, excepting the case where the stable
> update has a higher version than the package in testing) become part
> of the next stable release.

Good, thanks for explaining that.

> >     Question: Do I also need to separately seek a sponsor for this
> >     package to be uploaded to Debian?
>
> For stable, or for unstable?

The questions was specifically about the updated package for ‘stable’.

> In either case, the answer is yes - uploads to any Debian archive must
> be signed by a key in the Debian keyring.

Okay. So I should seek a sponsor in the ‘debian-mentors’ forum for the
update into ‘stable’? Or should that be done here on the
‘debian-release’ forum?

> One quick query about the debdiff; apologies if I'm missing something,
> but this hunk looks like a functionality change, rather than a strict
> replacement:
>
> +-              if path_excluded:
> +-                      iso.mkisofs_line_append(path_excluded + ' ')
> ++              for path_excluded in paths_excluded:
> ++                      iso.mkisofs_args.extend(["-x", path_excluded])

Thanks for asking. This change is necessary to go from invoking a shell
with a single command-line string, to invoking a list of command-line
arguments to be executed directly.

This particular hunk follows from others that change from “accumulate a
single string of ‘-x foo ’ substrings”, to “accumulate each ‘foo’ and
then apply pairs of ‘["-x", "foo"]’ arguments”. In other words, the loop
now accumulates only the filename arguments, and not the ‘-x’ option to
go with each:

> +-     path_excluded = path_excluded + '-x ' + '\'' + join(root,d) + '\'' + ' '
> ++     paths_excluded.append(join(root, d))

This is a backport of the same approach from the version in ‘unstable’.

Thanks again for checking the debdiff. Please let me know if I should be
seeking a sponsor for the upload into ‘stable’ here or on -mentors.

-- 
 \     “Buy not what you want, but what you need; what you do not need |
  `\             is expensive at a penny.” —Cato, 234–149 BCE, Relique |
_o__)                                                                  |
Ben Finney

Reply to:

Follow-Ups:
- Re: Security update for ‘burn’ package
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Security update for ‘burn’ package
  - From: Ben Finney <ben+debian@benfinney.id.au>
- Re: Security update for ‘burn’ package
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Bits from the release team and request for discussion
Next by Date: Re: Thoughts about PHP 5.3
Previous by thread: Re: Security update for ‘burn’ package
Next by thread: Re: Security update for ‘burn’ package
Index(es):
- Date
- Thread