Bug#920804: release.debian.org: security upload for r-cran-readxl
On 30 January 2019 at 13:59, Adam D. Barratt wrote:
| On 2019-01-30 13:39, Dirk Eddelbuettel wrote:
| > On 30 January 2019 at 13:11, Adam D. Barratt wrote:
| > | On 2019-01-29 11:53, Dirk Eddelbuettel wrote:
| > ...
| > | > Happy to upload once you give a green light. (System information
| > | > remove as I
| > | > type this on Ubuntu 18.10 ...)
| > |
| > | Apparently it was already uploaded.
| > |
| > | patches/updated-upstream-changes | 2699
| > | +++++++++++++++++++++++++++++++++++++++
| >
| > To unstable, yes - as 1.2.9000-1.
|
| and to stable - the diffstat above is from our automated tooling
| noticing the upload appearing in stable-new.
I see. I also (while commuting in) thought this may be the diff from April...
| > But Moritz asked me to also upload to
| > stretch. See https://packages.debian.org/search?keywords=r-cran-readxl
|
| I see. For reference, when a member of the Security Team says that, they
| usually mean "talk to the Release Team about uploading".
Moritz and then Salvatore pointed me to the manual and the recent d-d-a post
which suggest filing a bug (I did) and upload (I am trying :).
| > | Aside from being big enough to be non-trivial to review, the filename
| > of
| > | that patch isn't ideal. If there are other upstream changes that need
| > | incorporating in future, are you simply planning on appending to that
| > | patch, rather than having separate patches for specific purposes?
| >
| > This is Debian packaging of the CRAN package readxl. It's current
| > upstream
| > version is in better shape.
| >
| > I "have to" run this fix as CVE had been issued. As Moritz (now CCed)
| > suggested that this doesn't need a full blown security upload (no DOS
| > here,
| > just plain segfaults in R when libxls loaded) we went this route.
|
| That explains the size, but the filename still isn't ideal. That isn't
| reject-worthy in and of itself, it just has the potential to be more
| annoying to review if there's an additional update for the package in
| future. Let's see if any other issues pop up when someone finds
| sufficient tuits to review the full changes, rather than my initial run
| over the debdiff.
The changelog is more detailed. In essence, and just like in April, I updated
four files dealing with xls/ole/memory. Our tools then suggested
'dpkg-source --commit' which creates the one patch.
Dirk
|
| Regards,
|
| Adam
--
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
Reply to: