Bug#768068: wheezy-pu: package boinc/7.0.27+dfsg-5+deb7u1
Control: tags -1 moreinfo
On Thu, Mar 12, 2015 at 17:16:17 +0000, Gianfranco Costamagna wrote:
> Hi Adam,
>
> first, thanks for the review
>
> >
> >With apologies for not getting a proper response to this sooner, some
> >queries...
>
>
> no problem :)
> >+ * Tried to fix CVE-2013-2298 and CVE-2013-2018.
> >I'm not hugely keen on "tried to fix". :-( Are they fixed or not?
>
>
> I tried to fix them (meaning I backported the patches and rebased on top of the version)
>
> however we removed the build of the server packages, so the CVE is fixed, because we don't ship the code anymore.
>
> if you ask me why we keep the patches, I answer "because users might download the source and build manually their server"
>
I don't think that's reason enough to be touching the package in
(old)stable. The initial message were also saying some of this is used
on the client side, which is it?
>
> >+ * link_with_gold.patch: patched configure.ac to add -lX11 for linking client
> >+ with ld.gold.
>
> >Hmmm, gold isn't the default linker in wheezy afair? I guess this isn't
> >crazy based on the Build-Depends change.
>
>
> don't know, I didn't change this :) if it is a problem I can put Guo in the loop (if he doesn't already monitor the bug)
It's an unnecessary change. We don't like unnecessary changes in
(old)stable.
> +Subject: [PATCH] - client: don't show cache size in startup messages.
>
>
> yes, but again it is dead code :)
> >May well be taken from upstream, but appears to have nothing to do with
> >the content of the patch.
>
> >+workaround-objcxx.patch
>
> >What's the intent of this patch? It doesn't appear to be mentioned in
> >the changelog and only appears to touch code that's never going to be
> >used on Debian to begin with.
>
>
> seems an useless patch to me :)
>
> >+wrapper.patch
>
> >This also isn't mentioned in the changelog.
>
>
> safe patch, just adding some headers to avoid build failures with certain gcc versions...
>
> should I make another upload?
>
> really the debdiff can be so much reduced, I bringed up a wheezy branch and added the fixed on top of it...
>
Again, we want to keep changes in (old)stable to a minimum. So we would
prefer a minimal diff that doesn't try to fix issues that don't affect
the package in wheezy.
Cheers,
Julien
Reply to: