[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#687236: unblock: postgresql-9.1/9.1.5-2

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hello release team,

10 days ago I uploaded a new PostgreSQL 9.1 which re-enables build
hardening. We have had this for a long time already, but it was
accidentally dropped in 9.1.3-2 when I made the package compatible
with both the new dpkg method and hardening-wrapper (for backports).

  http://packages.qa.debian.org/p/postgresql-9.1/news/20120831T084902Z.html

9.1.5-2 reintroduces hardening again. As PostgreSQL is a fairly
widespread server application, its job is to process tons of strings,
user data, etc., it particularly benefits from hardening, so it would
be a shame to regress this in wheezy due to this oversight.

The other change in -2 is a Breaks/Replaces fix for handling backports
variants, and a corresponding preinst transition which only affects
Ubuntu (as Debian's archives do not have Debian revisions starting
with -0).

The package successfully passes the upstream as well as the
postgresql-common integration tests and built fine on all
architectures (except hurd-i386, but it almost never built there
anyway).

Thank you for considering!

Martin

unblock postgresql-9.1/9.1.5-2

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

diff -Nru postgresql-9.1-9.1.5/debian/changelog postgresql-9.1-9.1.5/debian/changelog
--- postgresql-9.1-9.1.5/debian/changelog	2012-08-17 12:42:45.000000000 +0000
+++ postgresql-9.1-9.1.5/debian/changelog	2012-08-31 07:55:01.000000000 +0000
@@ -1,3 +1,21 @@
+postgresql-9.1 (9.1.5-2) unstable; urgency=low
+
+  * debian/rules: Re-enable hardening functions (regression from 9.1.3-2 when
+    hardening-wrapper is not installed). Use "hardening=all", but disable
+    "pie" (as that's not compatible with -fPIC) and add -pie to CFLAGS
+    explicitly. Also drop the explicit "-Wl,-z,now" linker option, as this is
+    now implied with "all". (LP: #1039618)
+  * Fix upgrades from older 9.1 releases in stable Ubuntu -updates/-security
+    releasese. The strict "<< 9.1.4-2~" check for moving pg_basebackup.1.gz is
+    not sufficient, as Ubuntu stables have newer upstream releases by now.
+    - debian/control: Move Breaks/Replaces: from static version to
+      ${binary:Version}.
+    - debian/postgresql-9.1.preinst: Also fix the alternatives when upgrading
+      from a -0something version.
+    - (LP: #1043449)
+
+ -- Martin Pitt <mpitt@debian.org>  Fri, 31 Aug 2012 09:54:27 +0200
+
 postgresql-9.1 (9.1.5-1) unstable; urgency=medium
 
   * Urgency medium due to security fixes and bug fixes which should reach
diff -Nru postgresql-9.1-9.1.5/debian/control postgresql-9.1-9.1.5/debian/control
--- postgresql-9.1-9.1.5/debian/control	2012-08-17 12:42:45.000000000 +0000
+++ postgresql-9.1-9.1.5/debian/control	2012-08-31 07:55:01.000000000 +0000
@@ -170,8 +170,8 @@
 Conflicts: postgresql (<< 7.5)
 Suggests: postgresql-9.1, postgresql-doc-9.1
 Provides: postgresql-client
-Breaks: postgresql-9.1 (<< 9.1.4-2~)
-Replaces: postgresql-9.1 (<< 9.1.4-2~)
+Breaks: postgresql-9.1 (<< ${binary:Version})
+Replaces: postgresql-9.1 (<< ${binary:Version})
 Description: front-end programs for PostgreSQL 9.1
  This package contains client and administrative programs for
  PostgreSQL: these are the interactive terminal client psql and
diff -Nru postgresql-9.1-9.1.5/debian/postgresql-9.1.preinst postgresql-9.1-9.1.5/debian/postgresql-9.1.preinst
--- postgresql-9.1-9.1.5/debian/postgresql-9.1.preinst	2012-08-17 12:42:45.000000000 +0000
+++ postgresql-9.1-9.1.5/debian/postgresql-9.1.preinst	2012-08-31 07:55:01.000000000 +0000
@@ -2,10 +2,13 @@
 set -e
 
 # 9.1.4-2 moved pg_basebackup manpage from server to client; we need to rebuild
-# the alternatives for postmaster to drop pg_basebackup.1.gz from the group
-if [ "$1" = "upgrade" ] || [ "$1" = "install" ] && \
-	dpkg --compare-versions "$2" lt-nl "9.1.4-2~"; then
-    update-alternatives --remove postmaster.1.gz /usr/share/postgresql/9.1/man/man1/postmaster.1.gz
+# the alternatives for postmaster to drop pg_basebackup.1.gz from the group; we
+# also need to do this when upgrading from stable-updates/security, i. e. from
+# a -0something version
+if [ "$1" = "upgrade" ] || [ "$1" = "install" ]; then
+    if dpkg --compare-versions "$2" lt-nl "9.1.4-2~" || echo "$2" | grep -q -- '-0'; then
+        update-alternatives --remove postmaster.1.gz /usr/share/postgresql/9.1/man/man1/postmaster.1.gz
+    fi
 fi
 
 #DEBHELPER#
diff -Nru postgresql-9.1-9.1.5/debian/rules postgresql-9.1-9.1.5/debian/rules
--- postgresql-9.1-9.1.5/debian/rules	2012-08-17 12:42:45.000000000 +0000
+++ postgresql-9.1-9.1.5/debian/rules	2012-08-31 07:55:01.000000000 +0000
@@ -4,10 +4,11 @@
 
 # support both hardening-wrapper (for backports) and dpkg-buildflags
 export DEB_BUILD_HARDENING = 1
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie
 DPKG_EXPORT_BUILDFLAGS = 1
 -include /usr/share/dpkg/buildflags.mk
-LDFLAGS+= -Wl,--as-needed -Wl,-z,now
-CFLAGS+= -fPIC
+LDFLAGS+= -Wl,--as-needed
+CFLAGS+= -fPIC -pie
 
 # When protecting the postmaster with oom_adj=-17, allow the OOM killer to slay
 # the backends (http://archives.postgresql.org/pgsql-hackers/2010-01/msg00170.php)

Attachment: signature.asc
Description: Digital signature

Reply to: