Re: xfree86_4.1.0-16woody4_alpha.changes REJECTED

To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Cc: debian-security@lists.debian.org, debian-x@lists.debian.org, aba@debian.org
Subject: Re: xfree86_4.1.0-16woody4_alpha.changes REJECTED
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Date: Wed, 20 Oct 2004 10:20:47 +0200
Message-id: <[🔎] 20041020082047.GL18918@A-Eskwadraat.nl>
In-reply-to: <[🔎] 20041018130247.GE18918@A-Eskwadraat.nl>
References: <[🔎] E1CGuts-0002tQ-00@newraff.debian.org> <[🔎] 20041018124428.GE7091@redwald.deadbeast.net> <[🔎] 20041018130247.GE18918@A-Eskwadraat.nl>

(replying to my own mail at gun^Wflamethrower-point)

On Mon, Oct 18, 2004 at 03:02:47PM +0200, Jeroen van Wolffelaar wrote:
> On Mon, Oct 18, 2004 at 07:44:29AM -0500, Branden Robinson wrote:
> > Is there a FAQ somewhere that will tell me why I always get "REJECTED"
> > mails from katie after submitting security-fixed packages to the Debian
> > Security Team?
> > 
> > I get one for each architecture.
> > 
> > I seem to remember asking Debian Installer
> > <installer@ftp-master.debian.org> before, but never getting an answer.
> 
> The problem is that stable-security is a separate archive, and requires
> a sourceful upload. Give the '-sa' option to dpkg-buildpackage to
> overrule the heuristic that says only -1 and -0 packages need to have
> their source included.

Branden Robinson told me that however he did prepare the upload, it was
his understanding that the security team would not use it as-is, but
rebuild it. They didn't, and due to Branden's assumption, he didn't
think he needed to follow the guidelines specific to how exactly to
dpkg-buildpackage the upload for security updates.

> Also see http://www.debian.org/doc/developers-reference/ch-pkgs#s-bug-security
> which says to simply mail updated packages to the security team, and to
> not normally upload them yourself.

So it was the security team who uploaded Branden's packages as-is. Sorry
for assuming wrong, but something like this is uncheckable as the
signature was Branden's.

> A subsection of this section has also the answer to your question:
> 
> | Unless the upstream source has been uploaded to security.debian.org
> | before (by a previous security update), build the upload with full
> | upstream source (dpkg-buildpackage -sa). If there has been a previous
> | upload to security.debian.org with the same upstream version, you may
> | upload without upstream source (dpkg-buildpackage -sd).

This text is by the way incomplete. It should say "If there has been a
previous upload ... same upstream version _since the latest point
release_, you may upload without upstream source". Or even better, just
change it to 'always use -sa', as having multiple security updates for
one package between the same point releases is rare, and even if so, the
extra bandwidth used during upload is neglectible (and it can't hurt).

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl

Reply to:

References:
- xfree86_4.1.0-16woody4_alpha.changes REJECTED
  - From: Debian Installer <installer@ftp-master.debian.org>
- Re: xfree86_4.1.0-16woody4_alpha.changes REJECTED
  - From: Branden Robinson <branden@debian.org>
- Re: xfree86_4.1.0-16woody4_alpha.changes REJECTED
  - From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

Prev by Date: X Strike Force XOrg SVN commit: r67 - / xorg-template xorg-template/trunk xorg-template/trunk/debian
Next by Date: Bug#234556: [Crusoe CMS bug] Getting a CMS 4.5 for your laptop...
Previous by thread: Re: xfree86_4.1.0-16woody4_alpha.changes REJECTED
Next by thread: xfree86_4.1.0-16woody4_ia64.changes REJECTED
Index(es):
- Date
- Thread