Bug#687236: marked as done (unblock: postgresql-9.1/9.1.5-2)

Debian Bug Tracking System Wed, 19 Sep 2012 12:30:44 -0700

Your message dated Wed, 19 Sep 2012 20:26:14 +0100
with message-id <[email protected]>
and subject line Re: Bug#687236: unblock: postgresql-9.1/9.1.5-2
has caused the Debian Bug report #687236,
regarding unblock: postgresql-9.1/9.1.5-2
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
687236: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687236
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Hello release team,

10 days ago I uploaded a new PostgreSQL 9.1 which re-enables build
hardening. We have had this for a long time already, but it was
accidentally dropped in 9.1.3-2 when I made the package compatible
with both the new dpkg method and hardening-wrapper (for backports).

  http://packages.qa.debian.org/p/postgresql-9.1/news/20120831T084902Z.html

9.1.5-2 reintroduces hardening again. As PostgreSQL is a fairly
widespread server application, its job is to process tons of strings,
user data, etc., it particularly benefits from hardening, so it would
be a shame to regress this in wheezy due to this oversight.

The other change in -2 is a Breaks/Replaces fix for handling backports
variants, and a corresponding preinst transition which only affects
Ubuntu (as Debian's archives do not have Debian revisions starting
with -0).

The package successfully passes the upstream as well as the
postgresql-common integration tests and built fine on all
architectures (except hurd-i386, but it almost never built there
anyway).

Thank you for considering!

Martin

unblock postgresql-9.1/9.1.5-2

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

diff -Nru postgresql-9.1-9.1.5/debian/changelog 
postgresql-9.1-9.1.5/debian/changelog
--- postgresql-9.1-9.1.5/debian/changelog       2012-08-17 12:42:45.000000000 
+0000
+++ postgresql-9.1-9.1.5/debian/changelog       2012-08-31 07:55:01.000000000 
+0000
@@ -1,3 +1,21 @@
+postgresql-9.1 (9.1.5-2) unstable; urgency=low
+
+  * debian/rules: Re-enable hardening functions (regression from 9.1.3-2 when
+    hardening-wrapper is not installed). Use "hardening=all", but disable
+    "pie" (as that's not compatible with -fPIC) and add -pie to CFLAGS
+    explicitly. Also drop the explicit "-Wl,-z,now" linker option, as this is
+    now implied with "all". (LP: #1039618)
+  * Fix upgrades from older 9.1 releases in stable Ubuntu -updates/-security
+    releasese. The strict "<< 9.1.4-2~" check for moving pg_basebackup.1.gz is
+    not sufficient, as Ubuntu stables have newer upstream releases by now.
+    - debian/control: Move Breaks/Replaces: from static version to
+      ${binary:Version}.
+    - debian/postgresql-9.1.preinst: Also fix the alternatives when upgrading
+      from a -0something version.
+    - (LP: #1043449)
+
+ -- Martin Pitt <[email protected]>  Fri, 31 Aug 2012 09:54:27 +0200
+
 postgresql-9.1 (9.1.5-1) unstable; urgency=medium
 
   * Urgency medium due to security fixes and bug fixes which should reach
diff -Nru postgresql-9.1-9.1.5/debian/control 
postgresql-9.1-9.1.5/debian/control
--- postgresql-9.1-9.1.5/debian/control 2012-08-17 12:42:45.000000000 +0000
+++ postgresql-9.1-9.1.5/debian/control 2012-08-31 07:55:01.000000000 +0000
@@ -170,8 +170,8 @@
 Conflicts: postgresql (<< 7.5)
 Suggests: postgresql-9.1, postgresql-doc-9.1
 Provides: postgresql-client
-Breaks: postgresql-9.1 (<< 9.1.4-2~)
-Replaces: postgresql-9.1 (<< 9.1.4-2~)
+Breaks: postgresql-9.1 (<< ${binary:Version})
+Replaces: postgresql-9.1 (<< ${binary:Version})
 Description: front-end programs for PostgreSQL 9.1
  This package contains client and administrative programs for
  PostgreSQL: these are the interactive terminal client psql and
diff -Nru postgresql-9.1-9.1.5/debian/postgresql-9.1.preinst 
postgresql-9.1-9.1.5/debian/postgresql-9.1.preinst
--- postgresql-9.1-9.1.5/debian/postgresql-9.1.preinst  2012-08-17 
12:42:45.000000000 +0000
+++ postgresql-9.1-9.1.5/debian/postgresql-9.1.preinst  2012-08-31 
07:55:01.000000000 +0000
@@ -2,10 +2,13 @@
 set -e
 
 # 9.1.4-2 moved pg_basebackup manpage from server to client; we need to rebuild
-# the alternatives for postmaster to drop pg_basebackup.1.gz from the group
-if [ "$1" = "upgrade" ] || [ "$1" = "install" ] && \
-       dpkg --compare-versions "$2" lt-nl "9.1.4-2~"; then
-    update-alternatives --remove postmaster.1.gz 
/usr/share/postgresql/9.1/man/man1/postmaster.1.gz
+# the alternatives for postmaster to drop pg_basebackup.1.gz from the group; we
+# also need to do this when upgrading from stable-updates/security, i. e. from
+# a -0something version
+if [ "$1" = "upgrade" ] || [ "$1" = "install" ]; then
+    if dpkg --compare-versions "$2" lt-nl "9.1.4-2~" || echo "$2" | grep -q -- 
'-0'; then
+        update-alternatives --remove postmaster.1.gz 
/usr/share/postgresql/9.1/man/man1/postmaster.1.gz
+    fi
 fi
 
 #DEBHELPER#
diff -Nru postgresql-9.1-9.1.5/debian/rules postgresql-9.1-9.1.5/debian/rules
--- postgresql-9.1-9.1.5/debian/rules   2012-08-17 12:42:45.000000000 +0000
+++ postgresql-9.1-9.1.5/debian/rules   2012-08-31 07:55:01.000000000 +0000
@@ -4,10 +4,11 @@
 
 # support both hardening-wrapper (for backports) and dpkg-buildflags
 export DEB_BUILD_HARDENING = 1
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie
 DPKG_EXPORT_BUILDFLAGS = 1
 -include /usr/share/dpkg/buildflags.mk
-LDFLAGS+= -Wl,--as-needed -Wl,-z,now
-CFLAGS+= -fPIC
+LDFLAGS+= -Wl,--as-needed
+CFLAGS+= -fPIC -pie
 
 # When protecting the postmaster with oom_adj=-17, allow the OOM killer to slay
 # the backends 
(http://archives.postgresql.org/pgsql-hackers/2010-01/msg00170.php)

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

On Mon, 2012-09-17 at 07:16 +0200, Martin Pitt wrote:
> Adam D. Barratt [2012-09-16 15:17 +0100]:
> > On Tue, 2012-09-11 at 06:20 +0200, Martin Pitt wrote:
> > > The other change in -2 is a Breaks/Replaces fix for handling backports
> > > variants,
> > 
> > +  * Fix upgrades from older 9.1 releases in stable Ubuntu 
> > -updates/-security
> > +    releasese. The strict "<< 9.1.4-2~" check for moving 
> > pg_basebackup.1.gz is

s/releasese/releases/, fwiw.

> > +    not sufficient, as Ubuntu stables have newer upstream releases by now.
> > +    - debian/control: Move Breaks/Replaces: from static version to
> > +      ${binary:Version}.
> > 
> > Newer upstream releases without the manpage move?  Apologies if I'm
> > missing something here.
> 
> We released e. g. 9.1.1-1 into Ubuntu 11.10, which had the manpage at
> the wrong place. For security updates, both Debian and Ubuntu just
> take the new upstream version, not the complete backport (including
> packaging changes) from the development release.

In this specific case it looks like that won't affect Debian as we don't
have a stable release containing 9.1 yet.  However, the changes look
sane enough, supporting upgrades from Ubuntu releases wouldn't hurt :)
and there's already similar lock-step upgrade requirements for other
binary packages so meh.

Unblocked; thanks.

Regards,

Adam

--- End Message ---

Bug#687236: marked as done (unblock: postgresql-9.1/9.1.5-2)

Reply via email to