Bug#1113750: trixie-pu: package stardict/3.0.7+git20220909+dfsg-8+deb13u1(CVE-2025-55014)

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

On Tue, 2025-09-02 at 06:21 +0100, Adam D. Barratt wrote:
> On Tue, 2025-09-02 at 13:07 +0800, xiao sheng wen(肖盛文) wrote:
> > I just upload it, this package has been put into the NEW queue
> > again.
> > 
> > https://ftp-master.debian.org/new/stardict_3.0.7+git20220909+dfsg-8+deb13u1.html
> > 
> > The version 3.0.7+git20220909+dfsg-8 already passed the NEW queue
> > in
> > sid before.
> 
> Yes, you added new binary packages - they're not in stable at the
> moment. Whether they exist in unstable is irrelevant as far as the
> archive is concerned. That's not something you should just do in a
> stable update without getting agreement first.
> 
> In any case, your versioning is wrong:
> 
> stardict   | 3.0.7+git20220909+dfsg-8         | unstable       |
> source, all
> stardict   | 3.0.7+git20220909+dfsg-8+deb13u1 | new            |
> source, all
> 
> Assuming that we decide we're OK with the update, it will need a
> version number that's lower than unstable. 3.0.7+git20220909+dfsg-
> 8~deb13u1 would be the conventional approach.

The .changes file for what you've uploaded to NEW is also missing any
details about the new binary package being added or why it's there,
because you didn't use -v to make sure all of the changes since stable
were included:

Changes:
 stardict (3.0.7+git20220909+dfsg-8+deb13u1) trixie; urgency=medium
 .
   * Update d/gbp.conf for trixie-specific

I'm going to ask ftp-master to reject the upload. We can re-visit the
general idea once 13.1 is out the way.

Regards,

Adam