[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#920804: release.debian.org: security upload for r-cran-readxl

On 30 January 2019 at 13:59, Adam D. Barratt wrote:
| On 2019-01-30 13:39, Dirk Eddelbuettel wrote:
| > On 30 January 2019 at 13:11, Adam D. Barratt wrote:
| > | On 2019-01-29 11:53, Dirk Eddelbuettel wrote:
| > ...
| > | > Happy to upload once you give a green light.  (System information
| > | > remove as I
| > | > type this on Ubuntu 18.10 ...)
| > |
| > | Apparently it was already uploaded.
| > |
| > |    patches/updated-upstream-changes | 2699
| > | +++++++++++++++++++++++++++++++++++++++
| > 
| > To unstable, yes - as 1.2.9000-1.
| 
| and to stable - the diffstat above is from our automated tooling 
| noticing the upload appearing in stable-new.

I see.  I also (while commuting in) thought this may be the diff from April...
 
| > But Moritz asked me to also upload to
| > stretch. See https://packages.debian.org/search?keywords=r-cran-readxl
| 
| I see. For reference, when a member of the Security Team says that, they 
| usually mean "talk to the Release Team about uploading".

Moritz and then Salvatore pointed me to the manual and the recent d-d-a post
which suggest filing a bug (I did) and upload (I am trying :).

| > | Aside from being big enough to be non-trivial to review, the filename 
| > of
| > | that patch isn't ideal. If there are other upstream changes that need
| > | incorporating in future, are you simply planning on appending to that
| > | patch, rather than having separate patches for specific purposes?
| > 
| > This is Debian packaging of the CRAN package readxl. It's current 
| > upstream
| > version is in better shape.
| > 
| > I "have to" run this fix as CVE had been issued. As Moritz (now CCed)
| > suggested that this doesn't need a full blown security upload (no DOS 
| > here,
| > just plain segfaults in R when libxls loaded) we went this route.
| 
| That explains the size, but the filename still isn't ideal. That isn't 
| reject-worthy in and of itself, it just has the potential to be more 
| annoying to review if there's an additional update for the package in 
| future. Let's see if any other issues pop up when someone finds 
| sufficient tuits to review the full changes, rather than my initial run 
| over the debdiff.

The changelog is more detailed. In essence, and just like in April, I updated
four files dealing with xls/ole/memory.  Our tools then suggested
'dpkg-source --commit' which creates the one patch.

Dirk

| 
| Regards,
| 
| Adam

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
Reply to: