Your message dated Thu, 28 Dec 2006 11:55:06 -0800 with message-id <87irfvztgl.fsf@windlord.stanford.edu> and subject line ssh-krb5 package merged with openssh has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: changelog has numbers and dates going backwards, can't figure it out
- From: Joey Hess <joeyh@debian.org>
- Date: Tue, 10 Aug 2004 02:31:04 -0300
- Message-id: <20040810053104.GA8787@kitenet.net>
Package: ssh-krb5 Version: 3.6.1p2-5 Severity: normal I have been going through the DSA's, looking for security holes that were fixed by the security team but are not yet fixed in testing. I got back to DSA-383, which covers CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. I tried looking for these in the changelog to see if they were fixed, and I found two.. but the changelog is so broken that I cannot tell in exactly what version of ssh-krb5 they were fixed, or even what date they were fixed. This is because the changelog seems to consist of a top part, which is the changes you made in ssh-krb5 itself. And then below that you copy in the changelog for the last version of openssh you based the package on. So if I want to know at version of ssh-krb5 fixes CAN-2003-0693, I can look and see it was fixed in openssh 1:3.6.1p2-6.0, on 16 Sep 2003. The corresponding openssh-krb5 changelog entry seems to be 3.6.1p2-3 on 2 Nov 2003, although it doesn't mention changes inherited from openssh at all. This is more guesswork than I like to employ when it comes to verifying that we've not missed security fixes. Worse, the way the changelog is laid out means that a program parsing the version numbers will see them increase a page down in the changelog where openssh's changelog begins. Possibly this is legal since the package name also changes there, but surely such a program could become sorely confused when the dates also jump around: -- Sam Hartman <hartmans@debian.org> Fri, 14 May 2004 01:30:07 -0400 -- Sam Hartman <hartmans@debian.org> Wed, 19 Nov 2003 14:27:34 -0500 -- Sam Hartman <hartmans@debian.org> Sun, 2 Nov 2003 18:58:26 -0500 -- Sam Hartman <hartmans@debian.org> Sun, 1 Jun 2003 00:51:09 -0400 -- Sam Hartman <hartmans@debian.org> Sat, 17 May 2003 18:38:58 -0400 -- Colin Watson <cjwatson@debian.org> Fri, 19 Sep 2003 10:25:25 +0100 In short, this changelog is ugly, confusing, and an accident waiting to happen. (And I'd appreciate confirmation about whether the openssh fixes for CAN-2003-0693 and CAN-2003-0682 are included in ssh-krb5, and at which versions, and whether CAN-2003-0695 is fixed at all (not mentioned in the changelog) and at which version). -- see shy joAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 264717-done@bugs.debian.org, 386304-done@bugs.debian.org, 321498-done@bugs.debian.org
- Subject: ssh-krb5 package merged with openssh
- From: Russ Allbery <rra@debian.org>
- Date: Thu, 28 Dec 2006 11:55:06 -0800
- Message-id: <87irfvztgl.fsf@windlord.stanford.edu>
The ssh-krb5 package is now a transitional package that installs openssh-client and openssh-server. The regular OpenSSH packages now include GSSAPI support, so a separate package isn't necessary. -- Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
--- End Message ---