Your message dated Tue, 25 Jun 2019 20:13:46 +0200 with message-id <cb702d92-2233-b057-93d0-59932d96fd96@debian.org> and subject line Re: Bug#930293: unblock: docker.io/18.09.1+dfsg1-7 has caused the Debian Bug report #930293, regarding unblock: docker.io [pre-approval] to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 930293: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930293 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: docker.io/18.09.1+dfsg1-7
- From: Arnaud Rebillout <arnaud.rebillout@collabora.com>
- Date: Mon, 10 Jun 2019 11:44:58 +0700
- Message-id: <[🔎] 156014189851.36800.2067599583435189715.reportbug@xps>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Hi, I'm about to upload a fix for #929662 "docker.io: CVE-2018-15664", but before I do that I'd like to ask a question to the release team. For now in testing we have docker.io 18.09.1, and on top of that I've been importing upstream patches to fix RC bugs, because from what I understand from the Policy, that's what I should do. The 18.09 series of docker is a so-called "LTS", and that's exactly why it's THIS release in particular that I targeted for Buster, rather than a more recent release. Every now and then upstream releases a new dot release, the latest to date is 18.09.6 (released in May). According to the upstream changelog, these are mostly fixes. And to get an idea of the volume, between 18.09.1 to 18.09.6, there was 142 commits, which is rather small compared to the size of docker's codebase. So it seems to me that upstream really only adds fixes to the 18.09 series, and I also think that our users would be better served if they could have the latest version of this series in Buster, rather than what I'm doing now: only patching 18.09.1 with whatever bug was reported in Debian and marked RC, and ignoring all the other bugs that were reported and fixed upstream. Hence I'd like to ask the release team if they think it would be suitable to unblock docker.io to allow the version 18.09.6 to be uploaded in Buster? Or, better, wait for the next 18.09.7 that will include the CVE fix, probably in the next days? Or should I just stick to 18.09.1, and only upload a new debian version that only includes the CVE fix? Thanks, Arnaud unblock docker.io/18.09.1+dfsg1-7 -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
- To: Arnaud Rebillout <arnaud.rebillout@collabora.com>, 930293-done@bugs.debian.org, Shengjing Zhu <zhsj@debian.org>
- Subject: Re: Bug#930293: unblock: docker.io/18.09.1+dfsg1-7
- From: Paul Gevers <elbrus@debian.org>
- Date: Tue, 25 Jun 2019 20:13:46 +0200
- Message-id: <cb702d92-2233-b057-93d0-59932d96fd96@debian.org>
- In-reply-to: <[🔎] d6e4ed27-93e1-b4e8-5543-9ceb872b3010@collabora.com>
- References: <[🔎] ec38d171-9812-06c5-5c4f-f273dfe15846@debian.org> <[🔎] 156014189851.36800.2067599583435189715.reportbug@xps> <[🔎] 20190622201417.GA3225@debian> <[🔎] 40679125-5267-602e-07d4-80e358347fa0@debian.org> <[🔎] 156014189851.36800.2067599583435189715.reportbug@xps> <[🔎] 20190623115915.GA7594@debian> <[🔎] dc93860c-668d-878f-40a3-816a6b7e7d8f@debian.org> <[🔎] 156014189851.36800.2067599583435189715.reportbug@xps> <[🔎] 20190623222847.GA10606@debian> <[🔎] 03a2a433-9ffd-f762-49f2-8e6c3dc800f4@debian.org> <[🔎] 20190625012602.GA6387@debian> <[🔎] 156014189851.36800.2067599583435189715.reportbug@xps> <[🔎] d6e4ed27-93e1-b4e8-5543-9ceb872b3010@collabora.com>
Hi Arnaud, On 25-06-2019 04:15, Arnaud Rebillout wrote: > In docker.io we already apply a bunch of patches to disable tests that > require root or that require network. Unless I'm mistaken, it's quite > common to do that in debian packaging?? No, that is perfectly fine. It's just that I can't mindread from this distance (actually I don't know any distance where I can). And I don't have the time to investigate every package for unblocks, so you'll have to tell me (like you now did). > Even though it's not ideal, I don't know of any better solution during > the package build. Then there is autopkgtest of course, but I'm not > familiar with it and I don't know if it's suitable for running a test > suite with full capabilities (ie. root and network). autopkgtest in principle can do that (with the right restrictions set). ci.debian.net runs with lxc, so it can do until isolation-container. If you need help, you can contact us on #debci on oftc. I'll have more time to help you after the release of buster. That said, I decided to unblock docker.io. PaulAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---