Bug#515030: marked as done (reportbug: isolate stable from export unless specifically requested)

Sun, 15 Feb 2009 06:29:09 -0800 

Your message dated Sun, 15 Feb 2009 14:02:46 +0000
with message-id <[email protected]>
and subject line Bug#515030: fixed in reprepro 3.8.2-1
has caused the Debian Bug report #515030,
regarding reportbug: isolate stable from export unless specifically requested
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
515030: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=515030
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: reprepro
Version: 3.5.2-6
Severity: normal

Emdebian has a need for a truly stable distribution - where nothing I do in the
other distributions can modify the Release file for dists/stable and each
binary-* directory in each component of stable unless *specifically* 
re-enabled. 
This is so that these Release files can be signed by the Debian Release Team and
updates for Emdebian Grip stable are completely tied to the Debian updates for 
stable.

(This closes a security gap when installing Emdebian Grip using the Debian 
Installer
images. Any modification of the Release files loses the Release Team signature 
on
the Release file(s) and exposes users to the security gap once more.)

I think I can work around this issue, for now, but with a fair bit of 
unnecessary
duplication and various symlinks.

I'm thinking of an option in conf/distributions that says:

StableIsFrozen: true

or similar - that prohibits any alteration of anything in the distribution 
described
by that stanza, until that line is removed. No overrides on the command line, 
no --ignore
option, no option but commenting out that line which, hopefully, makes it clear 
that
the change is only made when a new stable release is being prepared. Once 
frozen, reprepro
would allow no reprepro operation that could possibly invalidate any existing 
signature on
the Release file(s) - including not changing the timestamp on the Release 
file(s) by reprepro.

'include*' and 'delete' would be impossible for stable, 'update' would be 
disabled, 'pull' as well,
even --export=force would ignore stable (and probably complain noisily that 
stable is
frozen and cannot be forced). This should not be permissions based because the 
repository
still needs to be maintained by a team.

Yet reprepro should still be able to query stable using 'list stable' and 
should still use
the same pool/, conf/ and db/ directories to avoid data duplication.

Is this achievable?

-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages reprepro depends on:
ii  libarchive1            2.4.17-2          Single library to read/write tar, 
ii  libbz2-1.0             1.0.5-1           high-quality block-sorting file co
ii  libc6                  2.7-18            GNU C Library: Shared libraries
ii  libdb4.6               4.6.21-13         Berkeley v4.6 Database Libraries [
ii  libgpg-error0          1.4-2             library for common error values an
ii  libgpgme11             1.1.8-2           GPGME - GnuPG Made Easy
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages reprepro recommends:
ii  apt                           0.7.20.2   Advanced front-end for dpkg

Versions of packages reprepro suggests:
ii  gnupg-agent                   2.0.9-3.1  GNU privacy guard - password agent
pn  inoticoming                   <none>     (no description available)

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: reprepro
Source-Version: 3.8.2-1

We believe that the bug you reported is fixed in the latest version of
reprepro, which is due to be installed in the Debian FTP archive:

reprepro_3.8.2-1.diff.gz
  to pool/main/r/reprepro/reprepro_3.8.2-1.diff.gz
reprepro_3.8.2-1.dsc
  to pool/main/r/reprepro/reprepro_3.8.2-1.dsc
reprepro_3.8.2-1_sparc.deb
  to pool/main/r/reprepro/reprepro_3.8.2-1_sparc.deb
reprepro_3.8.2.orig.tar.gz
  to pool/main/r/reprepro/reprepro_3.8.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernhard R. Link <[email protected]> (supplier of updated reprepro package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 14 Feb 2009 13:10:13 +0100
Source: reprepro
Binary: reprepro
Architecture: source sparc
Version: 3.8.2-1
Distribution: unstable
Urgency: low
Maintainer: Bernhard R. Link <[email protected]>
Changed-By: Bernhard R. Link <[email protected]>
Description: 
 reprepro   - Debian package repository producer
Closes: 515030 515114
Changes: 
 reprepro (3.8.2-1) unstable; urgency=low
 .
   * add conf/distribution ReadOnly: option (Closes: 515030)
   * warn in manpage that Codename should be a permanent name (Closes: 515114)
Checksums-Sha1: 
 c9fda1cf01f1bd0bc6c8184085ae8661272fd9dc 1343 reprepro_3.8.2-1.dsc
 67a6053ac8b40c02f35a52fcd4c611e0f2e08621 514778 reprepro_3.8.2.orig.tar.gz
 270c3caf51cee0220bace4abcc24560b78d8bfb4 9760 reprepro_3.8.2-1.diff.gz
 23cffc43d5d60ef9a187668bd825fc5f42cfe2a9 370158 reprepro_3.8.2-1_sparc.deb
Checksums-Sha256: 
 675d6c2737813e6355b4087ee9d52542c88b41e6db667bb2a4c7de4d54c1d2e5 1343 
reprepro_3.8.2-1.dsc
 393afc520818cd9d1baebb91461ad54e465295020801c56599acd9d9f472a29a 514778 
reprepro_3.8.2.orig.tar.gz
 7def9bc909f998612eba32caa77cd7d648ac47354c1e66bca62cca29cc121380 9760 
reprepro_3.8.2-1.diff.gz
 a14e7e6aa3495701dd690121662df35270ae489191209a25c4215812f5f0d029 370158 
reprepro_3.8.2-1_sparc.deb
Files: 
 37f0acb5985f66791d75e241de47fdb7 1343 utils extra reprepro_3.8.2-1.dsc
 86e2d44865b565157201225225b3467e 514778 utils extra reprepro_3.8.2.orig.tar.gz
 1845e3b6efd13f5697b60dc936cfd1a2 9760 utils extra reprepro_3.8.2-1.diff.gz
 4c122e3b07b906c44e3a4c9893174a47 370158 utils extra reprepro_3.8.2-1_sparc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQCVAwUBSZgds1syKVgPHZLaAQI8MgQAokRnh0LULvC/F8yXjWaRxlW4tIVdGAFi
7EeK/1aSOV7yMNndk4B4bPrWWN/qDB+Hrmw2H1oA5nb5Ly4XMGbS2+eJNGjpUfxB
Fj+jUQUctd2/mO1oDeTF+P2nOH7oFTpTIwVJzZuyb1cTLZT/OOMXX21EvD6qkbd7
u4MY39M/+Rg=
=ibgk
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to