[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1050301: bookworm-pu: package dgit/10.7+deb12u1



Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: dgit@packages.debian.org, 1050179@bugs.debian.org
Control: affects -1 + src:dgit

[ Reason ]

Affected dgit versions are unable to fetch security updates for
bullseye and bookworm.  (Security fetches for buster are unaffected.)

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050179

[ Impact ]

Attempts to track security updates with dgit result in an error.
dgit doesn't update the local tracking branches, prints alarming
looking messages to stderr, and exits nonzero.  Nevertheless, in some
circumstances (eg automatic update processes), if not noticed, this
might result in unapplied security patches.

Affected users are those who are *running* buggy versions of dgit
(which currently includes everything except sid) to try to *fetch*
security updates for bullseye and bookworm.

There is a workaround, described in the bug, involving passing -c
options (or using `git config`).

[ Tests ]

The failure is in the interface between dgit configuration and Debian
infrastructure.  Debian changed the apt location of the security
suites, but we didn't change dgit.

The automated tests all work with simulated archives.  So the problem
was not detected.  This could perhaps be improved, but making network
accesses to real infrastructure during tests is troublesome.

Instead, for now, I have tested the fix manually.  I ran an old dgit
and verified that it couldn't fetch security updates for bullseye and
bookworm.  (It could fetch security updates for buster; and, stretch
is completley gone from the normal Debian suites supported by dgit.)

I then built (using sbuild) and installed 10.7+deb12u1, and manually
tested.  I verified that dgit fetch for each of the dgit "combined
suites" worked; I verified by examining the output by eye that for my
test package (bind9, which has security updates in all three active
suites) dgit did indeed find the security updates.

My test runes were:
  dgit fetch buster,-security
  dgit fetch bullseye,-security
  dgit fetch bookworm,-security

[ Risks ]

This part of the config is regexps applied to URLs.  If the regexps
were wrong, they could break various attempts to fetch, including
possibly things we didn't intend to affect.

In mitigation:

The config settings are under "dgit-distro.debian-security", so they
should only affect fetches from that "distro", ie, mostly things that
are currently broken.

"buster-security" is not currently broken, but I have manually tested
that it still works.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

The only change is to the default configuration for the regexps which
attempt to massage apt fetch URLs for debian-security.

[ Other info ]

In anticipation of your approval, I will upload for bookworm shortly.

I'm not sure if we should update buster (oldoldstable) too.

dgit's design intent is that you should be able to use an old dgit to
fetch from even newer versions of Debian.

However, there might of course be other reasons why that might fail,
including incompatibly-new source packages which can't be handled by
old tools.  (Or source packages which are sufficiently strange that
you need bugfixes available only in newer dgit.)  And, it is
generally easy to update to a newer dgit without updating one's whole
system.  So, in particular, people doing automated updates or fetching
the whole distro would probably need a new dgit anyway.

Furthermore, these old dgits have never been able to fetch security
updates for the affected suites.  So there hasn't been a regression.

On the other hand, the effect - of making it hard to apply security
updates - is pretty bad.  The patch applies cleanly to buster and I am
pretty confident (without having tried it yet) it will just work.
diff --git a/debian/changelog b/debian/changelog
index cc49731f1..bf03d2744 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+dgit (10.7+deb12u1) bookworm; urgency=medium
+
+  * Use the old /updates security map only for buster.  Fixes fetching from
+    suites ,-security after buster.  [Matthew Vernon]  Closes: #1050179.
+
+ -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Tue, 22 Aug 2023 19:30:47 +0100
+
 dgit (10.7) unstable; urgency=medium
 
   * dgit(1), dgit-maint-merge(7): Copy-edit changes since dgit 9.16.
diff --git a/dgit b/dgit
index 3cbf8aa07..541420921 100755
--- a/dgit
+++ b/dgit
@@ -794,8 +794,8 @@ our %defcfg = ('dgit.default.distro' => 'debian',
 	       'dgit-distro.debian.mirror' => 'http://ftp.debian.org/debian/',
  'dgit-distro.debian-security.archive-query' => 'aptget:',
  'dgit-distro.debian-security.mirror' => 'http://security.debian.org/debian-security/',
- 'dgit-distro.debian-security.aptget-suite-map' => 's#-security$#/updates#',
- 'dgit-distro.debian-security.aptget-suite-rmap' => 's#$#-security#',
+ 'dgit-distro.debian-security.aptget-suite-map' => 's#buster-security$#buster/updates#',
+ 'dgit-distro.debian-security.aptget-suite-rmap' => 's#buster$#buster-security#',
  'dgit-distro.debian-security.nominal-distro' => 'debian',
  'dgit-distro.debian.backports-quirk' => '(squeeze)-backports*',
  'dgit-distro.debian-backports.mirror' => 'http://backports.debian.org/debian-backports/',

Reply to: