Package: release.debian.org Severity: normal X-Debbugs-Cc: debian-multime...@lists.debian.org User: release.debian....@packages.debian.org Usertags: transition
There is a new version of libtheora, <URL: https://tracker.debian.org/pkg/libtheora >, available from upstream, which fixes a few crash bugs that might be security related, discovered when using GCC sanitaztion on the upstream self test checks. The ABI changing triggering the SONAME change is moving from 'char *' to 'const char *' in some public function arguments. The autogenerated transition page is available from <URL: https://release.debian.org/transitions/html/auto-libtheora.html >. The new version is already in experimental, and I have verified that it build with every of its reverse dependency which is buildable in testing before the upgrade of libtheora-dev, in other words allegro5, boswars, darkplaces, ffmpeg, godot, gst, handbrake, icecast2, indi, liboggplay, libshout, libshout, liquidsoap, love, mediastreamer2, mplayer, ocaml, oggvideotools, ogmrip, openmsx, recordmydesktop, ros, scummvm, tupi, ufoai, vlc, vtk9, warzone2100, xine and zaz. The gmerlin-avdecoder and gmerlin-encoders packages failed to build because their build dependencies failed to install in testing. The os-autoinst package fail to build because of failing self tests, also observed on <URL: https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/os-autoinst.html >. The paraview package fail to build because the hdf5.h header file it require is not provided by its build dependencies. The kcemu package failed to build because there were no package in testing. I discovered and fixed a build problem in tupi in the process, to get it into testing. As there might be lingering security issues in the libtheora 1.1.1 release in testing, I thought it best to ask if the release team are OK an upload of libtheora 1.2.0 to unstable. -- Happy hacking Petter Reinholdtsen
