[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#687236: marked as done (unblock: postgresql-9.1/9.1.5-2)

Your message dated Wed, 19 Sep 2012 20:26:14 +0100
with message-id <1348082774.26713.16.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#687236: unblock: postgresql-9.1/9.1.5-2
has caused the Debian Bug report #687236,
regarding unblock: postgresql-9.1/9.1.5-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
687236: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687236
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hello release team,

10 days ago I uploaded a new PostgreSQL 9.1 which re-enables build
hardening. We have had this for a long time already, but it was
accidentally dropped in 9.1.3-2 when I made the package compatible
with both the new dpkg method and hardening-wrapper (for backports).

  http://packages.qa.debian.org/p/postgresql-9.1/news/20120831T084902Z.html

9.1.5-2 reintroduces hardening again. As PostgreSQL is a fairly
widespread server application, its job is to process tons of strings,
user data, etc., it particularly benefits from hardening, so it would
be a shame to regress this in wheezy due to this oversight.

The other change in -2 is a Breaks/Replaces fix for handling backports
variants, and a corresponding preinst transition which only affects
Ubuntu (as Debian's archives do not have Debian revisions starting
with -0).

The package successfully passes the upstream as well as the
postgresql-common integration tests and built fine on all
architectures (except hurd-i386, but it almost never built there
anyway).

Thank you for considering!

Martin

unblock postgresql-9.1/9.1.5-2

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

diff -Nru postgresql-9.1-9.1.5/debian/changelog postgresql-9.1-9.1.5/debian/changelog
--- postgresql-9.1-9.1.5/debian/changelog	2012-08-17 12:42:45.000000000 +0000
+++ postgresql-9.1-9.1.5/debian/changelog	2012-08-31 07:55:01.000000000 +0000
@@ -1,3 +1,21 @@
+postgresql-9.1 (9.1.5-2) unstable; urgency=low
+
+  * debian/rules: Re-enable hardening functions (regression from 9.1.3-2 when
+    hardening-wrapper is not installed). Use "hardening=all", but disable
+    "pie" (as that's not compatible with -fPIC) and add -pie to CFLAGS
+    explicitly. Also drop the explicit "-Wl,-z,now" linker option, as this is
+    now implied with "all". (LP: #1039618)
+  * Fix upgrades from older 9.1 releases in stable Ubuntu -updates/-security
+    releasese. The strict "<< 9.1.4-2~" check for moving pg_basebackup.1.gz is
+    not sufficient, as Ubuntu stables have newer upstream releases by now.
+    - debian/control: Move Breaks/Replaces: from static version to
+      ${binary:Version}.
+    - debian/postgresql-9.1.preinst: Also fix the alternatives when upgrading
+      from a -0something version.
+    - (LP: #1043449)
+
+ -- Martin Pitt <mpitt@debian.org>  Fri, 31 Aug 2012 09:54:27 +0200
+
 postgresql-9.1 (9.1.5-1) unstable; urgency=medium
 
   * Urgency medium due to security fixes and bug fixes which should reach
diff -Nru postgresql-9.1-9.1.5/debian/control postgresql-9.1-9.1.5/debian/control
--- postgresql-9.1-9.1.5/debian/control	2012-08-17 12:42:45.000000000 +0000
+++ postgresql-9.1-9.1.5/debian/control	2012-08-31 07:55:01.000000000 +0000
@@ -170,8 +170,8 @@
 Conflicts: postgresql (<< 7.5)
 Suggests: postgresql-9.1, postgresql-doc-9.1
 Provides: postgresql-client
-Breaks: postgresql-9.1 (<< 9.1.4-2~)
-Replaces: postgresql-9.1 (<< 9.1.4-2~)
+Breaks: postgresql-9.1 (<< ${binary:Version})
+Replaces: postgresql-9.1 (<< ${binary:Version})
 Description: front-end programs for PostgreSQL 9.1
  This package contains client and administrative programs for
  PostgreSQL: these are the interactive terminal client psql and
diff -Nru postgresql-9.1-9.1.5/debian/postgresql-9.1.preinst postgresql-9.1-9.1.5/debian/postgresql-9.1.preinst
--- postgresql-9.1-9.1.5/debian/postgresql-9.1.preinst	2012-08-17 12:42:45.000000000 +0000
+++ postgresql-9.1-9.1.5/debian/postgresql-9.1.preinst	2012-08-31 07:55:01.000000000 +0000
@@ -2,10 +2,13 @@
 set -e
 
 # 9.1.4-2 moved pg_basebackup manpage from server to client; we need to rebuild
-# the alternatives for postmaster to drop pg_basebackup.1.gz from the group
-if [ "$1" = "upgrade" ] || [ "$1" = "install" ] && \
-	dpkg --compare-versions "$2" lt-nl "9.1.4-2~"; then
-    update-alternatives --remove postmaster.1.gz /usr/share/postgresql/9.1/man/man1/postmaster.1.gz
+# the alternatives for postmaster to drop pg_basebackup.1.gz from the group; we
+# also need to do this when upgrading from stable-updates/security, i. e. from
+# a -0something version
+if [ "$1" = "upgrade" ] || [ "$1" = "install" ]; then
+    if dpkg --compare-versions "$2" lt-nl "9.1.4-2~" || echo "$2" | grep -q -- '-0'; then
+        update-alternatives --remove postmaster.1.gz /usr/share/postgresql/9.1/man/man1/postmaster.1.gz
+    fi
 fi
 
 #DEBHELPER#
diff -Nru postgresql-9.1-9.1.5/debian/rules postgresql-9.1-9.1.5/debian/rules
--- postgresql-9.1-9.1.5/debian/rules	2012-08-17 12:42:45.000000000 +0000
+++ postgresql-9.1-9.1.5/debian/rules	2012-08-31 07:55:01.000000000 +0000
@@ -4,10 +4,11 @@
 
 # support both hardening-wrapper (for backports) and dpkg-buildflags
 export DEB_BUILD_HARDENING = 1
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie
 DPKG_EXPORT_BUILDFLAGS = 1
 -include /usr/share/dpkg/buildflags.mk
-LDFLAGS+= -Wl,--as-needed -Wl,-z,now
-CFLAGS+= -fPIC
+LDFLAGS+= -Wl,--as-needed
+CFLAGS+= -fPIC -pie
 
 # When protecting the postmaster with oom_adj=-17, allow the OOM killer to slay
 # the backends (http://archives.postgresql.org/pgsql-hackers/2010-01/msg00170.php)

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
On Mon, 2012-09-17 at 07:16 +0200, Martin Pitt wrote:
> Adam D. Barratt [2012-09-16 15:17 +0100]:
> > On Tue, 2012-09-11 at 06:20 +0200, Martin Pitt wrote:
> > > The other change in -2 is a Breaks/Replaces fix for handling backports
> > > variants,
> > 
> > +  * Fix upgrades from older 9.1 releases in stable Ubuntu -updates/-security
> > +    releasese. The strict "<< 9.1.4-2~" check for moving pg_basebackup.1.gz is

s/releasese/releases/, fwiw.

> > +    not sufficient, as Ubuntu stables have newer upstream releases by now.
> > +    - debian/control: Move Breaks/Replaces: from static version to
> > +      ${binary:Version}.
> > 
> > Newer upstream releases without the manpage move?  Apologies if I'm
> > missing something here.
> 
> We released e. g. 9.1.1-1 into Ubuntu 11.10, which had the manpage at
> the wrong place. For security updates, both Debian and Ubuntu just
> take the new upstream version, not the complete backport (including
> packaging changes) from the development release.

In this specific case it looks like that won't affect Debian as we don't
have a stable release containing 9.1 yet.  However, the changes look
sane enough, supporting upgrades from Ubuntu releases wouldn't hurt :)
and there's already similar lock-step upgrade requirements for other
binary packages so meh.

Unblocked; thanks.

Regards,

Adam

--- End Message ---
Reply to: