Bug#920804: release.debian.org: security upload for r-cran-readxl

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

On 2019-01-30 13:39, Dirk Eddelbuettel wrote:
> On 30 January 2019 at 13:11, Adam D. Barratt wrote:
> | On 2019-01-29 11:53, Dirk Eddelbuettel wrote:
> ...
> | > Happy to upload once you give a green light.  (System information
> | > remove as I
> | > type this on Ubuntu 18.10 ...)
> |
> | Apparently it was already uploaded.
> |
> |    patches/updated-upstream-changes | 2699
> | +++++++++++++++++++++++++++++++++++++++
>
> To unstable, yes - as 1.2.9000-1.

and to stable - the diffstat above is from our automated tooling 
noticing the upload appearing in stable-new.

> But Moritz asked me to also upload to
> stretch. See https://packages.debian.org/search?keywords=r-cran-readxl

I see. For reference, when a member of the Security Team says that, they 
usually mean "talk to the Release Team about uploading".

> | Aside from being big enough to be non-trivial to review, the filename 
> of
> | that patch isn't ideal. If there are other upstream changes that need
> | incorporating in future, are you simply planning on appending to that
> | patch, rather than having separate patches for specific purposes?
>
> This is Debian packaging of the CRAN package readxl. It's current 
> upstream
> version is in better shape.
>
> I "have to" run this fix as CVE had been issued. As Moritz (now CCed)
> suggested that this doesn't need a full blown security upload (no DOS 
> here,
> just plain segfaults in R when libxls loaded) we went this route.

That explains the size, but the filename still isn't ideal. That isn't 
reject-worthy in and of itself, it just has the potential to be more 
annoying to review if there's an additional update for the package in 
future. Let's see if any other issues pop up when someone finds 
sufficient tuits to review the full changes, rather than my initial run 
over the debdiff.

Regards,

Adam