On 25/10/16 18:26, Adam D. Barratt wrote: > On 2016-10-25 14:32, Andrew Shadura wrote: >> On 25/10/16 15:31, Adam D. Barratt wrote: >>> Control: tags -1 + confirmed >>> >>> On 2016-10-25 10:10, Andrew Shadura wrote: >>>> I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695, >>>> CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699, >>>> CVE-2016-8700, >>>> CVE-2016-8701, CVE-2016-8702, CVE-2016-8703. >>>> >>>> Please find the attached debdiff. >>> >>> I assume "CVE-2016-8694.patch" actually fixes all of the listed CVEs? If >>> so, and assuming that the resulting package has been tested on stable, >>> please go ahead. >> >> Yes, it does. > > Unfortunately it appears that the uploaded package was not built in a > (purely) jessie environment, so I'm afraid that I've had to mark it to > be rejected. > > Automated binary debdiffs show: > > <quote> > Warning: these package names were in the second list but not in the first: > -------------------------------------------------------------------------- > libpotrace0-dbgsym > potrace-dbgsym > ... > Files only in first set of .debs, found in package libpotrace0 > -------------------------------------------------------------- > -rwxr-xr-x root/root DEBIAN/postinst > -rwxr-xr-x root/root DEBIAN/postrm > > New files in second set of .debs, found in package libpotrace0 > -------------------------------------------------------------- > -rw-r--r-- root/root DEBIAN/triggers > </quote> > > Those changes won't happen if jessie's debhelper was used for the build. > (The fact that dak didn't reject the package itself is a known issue > with the *-debug suite checks.)
Indeed, I uploaded a wrong .changes. Sorry for the noise, will re-upload shortly. -- Cheers, Andrew