Bug#948786: buster-pu: package apt-cacher-ng/3.2-3~deb10u1

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#948786: buster-pu: package apt-cacher-ng/3.2-3~deb10u1

Andreas Beckmann-4
Package: release.debian.org
Severity: normal
Tags: buster
User: [hidden email]
Usertags: pu

Hi,

let's make apt-cacher-ng in stable usable for sid and bullseye, again,
by increasing some decompression buffers. #942634

This is a rebuild of the package in testing and already uploaded.


Andreas

apt-cacher-ng_3.2-3~deb10u1.dsc.diff (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#948786: buster-pu: package apt-cacher-ng/3.2-3~deb10u1

Eduard Bloch
Hallo,
* Andreas Beckmann [Mon, Jan 13 2020, 11:20:25AM]:

> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: [hidden email]
> Usertags: pu
>
> Hi,
>
> let's make apt-cacher-ng in stable usable for sid and bullseye, again,
> by increasing some decompression buffers. #942634
>
> This is a rebuild of the package in testing and already uploaded.

"already uploaded" is like "shoot first, ask questions later", so I am
not amused.

I was going to request a stable update anyway in about two days from
now; the plan was to create buster-pu ticket for a backport of
CVE-2020-5202 fix AND also include a backport of the length fix. What
you created anyway now. Well then, I suggest to wait another day or two
and just reuse your ticket.

CVE details:
https://salsa.debian.org/blade/apt-cacher-ng/commit/3b91874b0c099b0ded1a94f1784fe1265082efbc
https://metadata.ftp-master.debian.org/changelogs//main/a/apt-cacher-ng/apt-cacher-ng_3.3.1-1_changelog

At release team, please advise: could I also introduce the little fix of
#948259? It's really peanuts but would make ArchLinux people happy. See
https://salsa.debian.org/blade/apt-cacher-ng/commit/a685db7aee472dd2c85f430aa345b28e22a60d9e
for details.

Also, since I am the upstream author:
shall I make a real upstream release for that?

(you can say no because of any process requirements the release team has
in mind but that would not make much sense since I will create that
upstream release version anyway, ending up in an official 3.2.1 version
and a Debian-specific 3.2-3 revision with effectively the same code)

Best regards,
Eduard.

Reply | Threaded
Open this post in threaded view
|

Bug#948786: buster-pu: package apt-cacher-ng/3.2-3~deb10u1

Andreas Beckmann-4
control: tag -1 moreinfo

On 13/01/2020 18.29, Eduard Bloch wrote:

>> let's make apt-cacher-ng in stable usable for sid and bullseye, again,
>> by increasing some decompression buffers. #942634
>>
>> This is a rebuild of the package in testing and already uploaded.
>
> "already uploaded" is like "shoot first, ask questions later", so I am
> not amused.
>
> I was going to request a stable update anyway in about two days from
> now; the plan was to create buster-pu ticket for a backport of
> CVE-2020-5202 fix AND also include a backport of the length fix. What
> you created anyway now. Well then, I suggest to wait another day or two
> and just reuse your ticket.

Dear release team, please reject my upload in favor of an upcoming
maintainer upload containing more changes.

Andreas

Reply | Threaded
Open this post in threaded view
|

Bug#948786: buster-pu: package apt-cacher-ng/3.2.1-1 pre-approval

Eduard Bloch
In reply to this post by Andreas Beckmann-4
Control: tag -1 -moreinfo

Hallo Everyone,

so here comes the additional info:

the CVE-2020-5202 fix was applied to Sid/Bullseye and reached Testing
without any bugreports. I had to reupload once in the meantime due to a
glitch in the Debian package (yeas, I f*ed it up, right in the great
git-based process and I am sorry, but it should all be fine now).

Now I am planning to make an upstream release, which consolidates:

- backport of CVE-2020-5202 fix from Bullseye (mostly identical, adapted
  for different function signatures, omits refactoring which comes handy
  here but hey, let's change as less possible for Stable)
- minor extension (.zst as additional compression format alongside of
  .gz,.bz2,.lzma,.xz). NO extra processing code, just passing through
  that data instead of rejecting them.
- the fix of #942634 which affects the operation with current mirrors
  and which was the original motivation for this ticket

I would like to have some kind of confirmation from the release team
that this mail does not go straight to /dev/null and that a new upstream
(minor) version is an acceptable candidate for a Stable update. I can,
of course, convert all that into debian/patches/XXX but honestly, that
would really feel like greenwashing.

The changes reported here can be reviewed at
https://salsa.debian.org/blade/apt-cacher-ng/commits/temp/debian-merge ,
starting with the commit from 2019-12-20. I am testing this version in
my daily operations now. That test base is small, of course, if anyone
has a better idea, please let me know.

In case you encounter something not understandable in those changes,
feel free to ping me via comments in Salsa git review, and I will
explain what this is about.

Best regards,
Eduard.

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#948786: buster-pu: package apt-cacher-ng/3.2.1-1 pre-approval

Adam D. Barratt
On Wed, 2020-01-22 at 22:16 +0100, Eduard Bloch wrote:
> I would like to have some kind of confirmation from the release team
> that this mail does not go straight to /dev/null and that a new
> upstream (minor) version is an acceptable candidate for a Stable
> update.

No mail is ignored, and I don't appreciate the implication.

As you may have noticed, manpower for processing stable updates is
somewhat thin on the ground these days, and there's only so many
requests I can get through in any given time, particularly while trying
to fit in other Debian, dayjob and other activities.

To be entirely honest, it's also not the most fun thing to spend an
evening doing.

> I can, of course, convert all that into debian/patches/XXX but
> honestly, that would really feel like greenwashing.
>
> The changes reported here can be reviewed at
> https://salsa.debian.org/blade/apt-cacher-ng/commits/temp/debian-merge ,
> starting with the commit from 2019-12-20.

Those look OK as individual commits, thanks. For completeness, could we
please have a finalised source debdiff of the built source package,
compared to current stable?

Regards,

Adam

Reply | Threaded
Open this post in threaded view
|

Bug#948786: buster-pu: package apt-cacher-ng/3.2.1-1 pre-approval

Eduard Bloch
Hallo,
* Adam D. Barratt [Tue, Jan 28 2020, 10:28:08PM]:

> > I can, of course, convert all that into debian/patches/XXX but
> > honestly, that would really feel like greenwashing.
> >
> > The changes reported here can be reviewed at
> > https://salsa.debian.org/blade/apt-cacher-ng/commits/temp/debian-merge ,
> > starting with the commit from 2019-12-20.
>
> Those look OK as individual commits, thanks. For completeness, could we
> please have a finalised source debdiff of the built source package,
> compared to current stable?
Of course, attached.

Although, there are a couple of changes which I added on top:
a) removing -Wl,threads from considered linker options. That's a non-functional change, supposed to counteract FTBFS on mipsel/mips64el which I had experienced recently (there is a similar workaround in Testing, which detects mipsel explicitly, but this change simply removed -Wl,threads completely for all architectures which is the safer option, IMHO)
b) upstreaming the fix of #928957 (this was approved last year for Stable already, the code just wanders from debian-patch into upstream change)

BTW, there is one remaining change in the Debian diff on the systemd file which I will keep as is. It existed already in Stable. Not critical and not that important, and might be upstreamed in Sid, sooner or later.

Best regards,
Eduard.

srcdiff_3.2-2_3.2.1-1.diff (27K) Download Attachment
bindiff_3.2-2_3.2.1-1.diff (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#948786: buster-pu: package apt-cacher-ng/3.2.1-1 pre-approval

Adam D. Barratt
On Mon, 2020-02-03 at 21:05 +0100, Eduard Bloch wrote:

> Hallo,
> * Adam D. Barratt [Tue, Jan 28 2020, 10:28:08PM]:
>
> > > I can, of course, convert all that into debian/patches/XXX but
> > > honestly, that would really feel like greenwashing.
> > >
> > > The changes reported here can be reviewed at
> > > https://salsa.debian.org/blade/apt-cacher-ng/commits/temp/debian-merge
> > > ,
> > > starting with the commit from 2019-12-20.
> >
> > Those look OK as individual commits, thanks. For completeness,
> > could we
> > please have a finalised source debdiff of the built source package,
> > compared to current stable?
>
> Of course, attached.

I noticed that you also uploaded. Note that proposed-updates is
currently frozen in preparation for the point releases on Saturday, so
the package won't be processed until some point after that happens.

Regards,

Adam

Reply | Threaded
Open this post in threaded view
|

Bug#948786: apt-cacher-ng 3.2.1-1 flagged for acceptance

Adam D. Barratt
In reply to this post by Andreas Beckmann-4
package release.debian.org
tags 948786 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==============

Package: apt-cacher-ng
Version: 3.2.1-1

Explanation: enforce secured call to the server in maint job triggering [CVE-2020-5202]; allow .zst compression for tarballs; incrase size of the decompression line buffer for config file reading