Your message dated Wed, 12 Jul 2023 21:22:05 +0300 with message-id <[email protected]> and subject line Re: Bug#1039083: crun: Embed yajl has caused the Debian Bug report #1039083, regarding crun: Embed yajl to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1039083: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039083 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: crun Severity: serious Justification: embed code copy devref Dear Maintainer, Your package include an embed code copy of yajl Could you please: - deembed - the repack (+ds source if needed) in order to be sure it will be not compiled in by accident in newer release Thanks Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.1.0-9-rt-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Hi there, On Sun, Jun 25, 2023 at 02:51:51PM +0000, Bastien Roucariès wrote: > Your package include an embed code copy of yajl > > Could you please: > - deembed > - the repack (+ds source if needed) in order to be sure it will be not > compiled > in by accident in newer release The embedded copy is not used in the binary package, and this is the case in both oldstable/stable/testing/unstable. Note that this is already documented in d/copyright as well. Upstream provides an --enable-embedded-yajl configure flag which we are not passing, so I don't think we're running into the risk of accidentally building the embedded copy anytime soon. I'll add a grep -q yajl debian/crun.substvars to override_dh_gencontrol as another guard for this (even though I think it's a bit of an overkill!) With respect to your suggestion to de-embed and repack, I'm going to respectfully have to decline. Upstream signs their tarballs, and I'd rather have Debian ship the upstream tarballs and their signatures, than repack them. I consider the risk of a supply chain attack higher than the risk of accidentally embedding libyajl, and thus repacking feels inferior from a defense-in-depth perspective (at least my perspective). Hope this helps! Regards, Faidon
--- End Message ---
