Bug#985973: marked as done (unblock: gnutls28/3.7.1-1)

To: Ivo De Decker <ivodd@respighi.debian.org>
Subject: Bug#985973: marked as done (unblock: gnutls28/3.7.1-1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 27 Mar 2021 13:45:05 +0000
Message-id: <[🔎] handler.985973.D985973.161685254011344.ackdone@bugs.debian.org>
Reply-to: 985973@bugs.debian.org
References: <E1lQ9Ci-0003Xb-0U@respighi.debian.org> <[🔎] YF7nXNKRFaYxgiZ5@argenau.bebt.de>

Your message dated Sat, 27 Mar 2021 13:42:16 +0000
with message-id <E1lQ9Ci-0003Xb-0U@respighi.debian.org>
and subject line unblock gnutls28
has caused the Debian Bug report #985973,
regarding unblock: gnutls28/3.7.1-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
985973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985973
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: gnutls28/3.7.1-1
From: Andreas Metzler <ametzler@bebt.de>
Date: Sat, 27 Mar 2021 09:05:48 +0100
Message-id: <[🔎] YF7nXNKRFaYxgiZ5@argenau.bebt.de>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: gnutls28@packages.debian.org

Please unblock gnutls28 3.7.1. This is the first bugfix release
for the 3.7.x series.

Most notably it features the fix for a non-DSA security issue (potential
use-after-free in sending "key_share" and "pre_shared_key" extensions.
GNUTLS-SA-2021-03-10. CVE-2021-20231 CVE-2021-20232). Apart from that
there is plethora of minor and medium fixes. Fwiw it was released at
this point of time (just before the freeze) specifically to give us a
chance to ship in Debian bulleye.

While the diff is huge I strongly believe we make the right trade-off in
shipping this instead of cherry-picking more fixes:
* It has run through upstream's CI. Which is significant.
* GnuTLS probably will have CVE's during bullseye lifetime. Shipping .1
  instead of .0 will ease our work then a lot both in checking whether
  we are vulnerable and in applying patches.
* The cleanups are worth having.

Diff analysis:
ametzler@argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | lsdiff  | wc
   1722    1722   91156

Let's filter out auto* and the autogenerated documentation:
ametzler@argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | filterdiff -x '*/doc/*texi'  -x '*/doc/functions/*' -x '*/doc/manpages/*' -x '*/doc/gnutls.info*' -x '*/doc/reference/*' -x '*/build-aux/*' -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti'  -x '*/version.texi' -x '*/INSTALL' -x '*/ABOUT-NLS' -x'*.po' -x '*.bak'  | lsdiff  | wc
    434     434   17963
m4 is also copied autofoo stuff except for hooks.m4 which has the
libtool minor version bump (LT_REVISION 1 instead of 0). Then there is a
minor gnulib update.
ametzler@argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | filterdiff -x '*/doc/*texi'  -x '*/doc/functions/*' -x '*/doc/manpages/*' -x '*/doc/gnutls.info*' -x '*/doc/reference/*' -x '*/build-aux/*' -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti'  -x '*/version.texi' -x '*/INSTALL' -x '*/ABOUT-NLS' -x'*.po' -x '*.bak' -x '*/gl/*' -x '*/m4/*' | lsdiff  | wc
    314     314   13901

A huge part of the rest is testsuite cleanups, most noteably
        0ae814c77b18a925552b7a763a13ed1c63e2d1bd
        tests: suffix .sh for all shell-script tests Otherwise valgrind will
        run against /bin/sh.
        416485f6d4dde63e90d19916ab9dee8fe972be10
        tests: make any ad-hoc timeout setting controllable through envvar
ametzler@argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | filterdiff -x '*/doc/*texi'  -x '*/doc/functions/*' -x '*/doc/manpages/*' -x '*/doc/gnutls.info*' -x '*/doc/reference/*' -x '*/build-aux/*' -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti'  -x '*/version.texi' -x '*/INSTALL' -x '*/ABOUT-NLS' -x'*.po' -x '*.bak' -x '*/gl/*' -x '*/m4/*' | filterdiff -i '*/tests/*' | lsdiff | wc
    244     244   11059

Dropping this, /debian/patches/ and some more generated files ...
ametzler@argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | filterdiff -x '*/doc/*texi'  -x '*/doc/functions/*' -x '*/doc/manpages/*' -x '*/doc/gnutls.info*' -x '*/doc/reference/*' -x '*/build-aux/*' -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti'  -x '*/version.texi' -x '*/INSTALL' -x '*/ABOUT-NLS' -x'*.po' -x '*.bak' -x '*/gl/*' -x '*/m4/*' -x '*/tests/*' -x '*/debian/patches/*' -x '*/doc/gnutls-guile.*' -x '*/doc/gnutls.html' -x '*/gtk-doc.make' -x '*/aclocal.m4'   | lsdiff | wc
     55      55    1817

unblock gnutls28/3.7.1-1

Thanks, cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Attachment: full.debdiff.xz
Description: application/xz

Attachment: stripped_down.debdiff.xz
Description: application/xz

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 985973-done@bugs.debian.org

Subject: unblock gnutls28

From: Ivo De Decker <ivodd@respighi.debian.org>

Date: Sat, 27 Mar 2021 13:42:16 +0000

Message-id: <E1lQ9Ci-0003Xb-0U@respighi.debian.org>
Unblocked gnutls28.
--- End Message ---

Reply to:

References:
- Bug#985973: unblock: gnutls28/3.7.1-1
  - From: Andreas Metzler <ametzler@bebt.de>

Prev by Date: Uploading linux (5.10.26-1)
Next by Date: Bug#985984: marked as done (unblock: exim4/4.94-17)
Previous by thread: Bug#985973: unblock: gnutls28/3.7.1-1
Next by thread: Bug#985977: unblock: dlt-viewer/2.21.2+dfsg-1
Index(es):
- Date
- Thread