Bug#679041: transition: wireshark
2012/6/27 Adam D. Barratt a...@adam-barratt.org.uk: tag 679041 + pending thanks On Tue, 2012-06-26 at 19:16 +0200, Bálint Réczey wrote: 2012/6/26 Mehdi Dogguy me...@dogguy.org: On 26/06/2012 00:10, Bálint Réczey wrote: I'd like to upload the latest version of wireshark to unstable. Updating from 1.6.8 to 1.8.0 brings a new ABI with a new soname for all the libs. Having Wireshark 1.8.x in Wheezy is important because upstream's support for 1.6.x ends on June 7, 2013 [1] and Wireshark needs regular security updates. [...] Thanks for letting us know. Unfortunately, we think that this update came a tad late because we are that near to freeze and the update seems quite large. This is why i don't want to risk backporting security fixes from 1.8.x to 1.6.x. I have to admit to not being happy with the size of the diff at this late stage, but it seems the lesser of the available evils. The 1.8 package was accepted from NEW a short while ago by our friendly ftp-team. Thanks! The Wireshark project uses pretty advanced techniques for ensuring code quality including three different static code analyzers, building for platforms and fuzz testing every build. There are still security issues found in the code base time to time, but with more than 2 million lines of C code it would be hard to avoid those completely. All in all I'm convinced that having 1.8.x in Wheezy in the right decision. Can we schedule binNMUs for netexpect, or does it require any source changes? Eloy will upload the new netexpect package soon. ... Note that 1.8.0~rc1-1 has been uploaded to the NEW queue weeks ago... [1] In that case, I'm not entirely sure why the transition bug wasn't raised weeks ago... nor what the logic is behind not having uploaded the release version already, given that the upstream schedule claims it was released a week ago. In the past we managed the transition ourselves by quickly updating netexpect after wireshark. Since netexpect does not have too many users yet and netexpect is the only package depending on wireshark it seemed to be a better solution over involving the release team. Should we always open a transition bug? Cheers, Balint -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679041: transition: wireshark
Hi all, On 06/28/2012 04:43 AM, Bálint Réczey wrote: [...] 2012/6/27 Adam D. Barratt a...@adam-barratt.org.uk: Can we schedule binNMUs for netexpect, or does it require any source changes? Eloy will upload the new netexpect package soon. I uploaded to unstable new netexpect packages built against the new Wireshark 1.8.0 packages yesterday as soon as I saw that Wireshark 1.8.0 had been accepted into unstable. Note that 1.8.0~rc1-1 has been uploaded to the NEW queue weeks ago... [1] In that case, I'm not entirely sure why the transition bug wasn't raised weeks ago... nor what the logic is behind not having uploaded the release version already, given that the upstream schedule claims it was released a week ago. In the past we managed the transition ourselves by quickly updating netexpect after wireshark. Since netexpect does not have too many users yet and netexpect is the only package depending on wireshark it seemed to be a better solution over involving the release team. Should we always open a transition bug? Last time, for the Wireshark 1.4 to 1.6 transition, we were not close to a freeze, but Bálint and I coordinated the transition just like we did this time. The end result was the same -- all packages and their dependencies hitting unstable on the same day. Cheers, Eloy Paris.- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679041: transition: wireshark
On Thu, 2012-06-28 at 07:36 -0400, Eloy Paris wrote: On 06/28/2012 04:43 AM, Bálint Réczey wrote: In the past we managed the transition ourselves by quickly updating netexpect after wireshark. Since netexpect does not have too many users yet and netexpect is the only package depending on wireshark it seemed to be a better solution over involving the release team. Should we always open a transition bug? Last time, for the Wireshark 1.4 to 1.6 transition, we were not close to a freeze, but Bálint and I coordinated the transition just like we did this time. The end result was the same -- all packages and their dependencies hitting unstable on the same day. For most of the release cycle, that will likely work fine, yes; although unless netexpect actually requires source changes, you could save yourself some work and just ask us to binNMU it. However, when the freeze is known to be very close and the upload doesn't occur until nearly three weeks _after_ the already publicised talk to us /now/ or your transition is unlikely to make wheezy time point, then co-ordination amongst yourselves is not sufficient. If it weren't for upstream's published support calendar, there's a reasonable chance that 1.8 might not have made it, given when the release team were asked. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679041: transition: wireshark
tag 679041 + pending thanks On Tue, 2012-06-26 at 19:16 +0200, Bálint Réczey wrote: 2012/6/26 Mehdi Dogguy me...@dogguy.org: On 26/06/2012 00:10, Bálint Réczey wrote: I'd like to upload the latest version of wireshark to unstable. Updating from 1.6.8 to 1.8.0 brings a new ABI with a new soname for all the libs. Having Wireshark 1.8.x in Wheezy is important because upstream's support for 1.6.x ends on June 7, 2013 [1] and Wireshark needs regular security updates. [...] Thanks for letting us know. Unfortunately, we think that this update came a tad late because we are that near to freeze and the update seems quite large. This is why i don't want to risk backporting security fixes from 1.8.x to 1.6.x. I have to admit to not being happy with the size of the diff at this late stage, but it seems the lesser of the available evils. The 1.8 package was accepted from NEW a short while ago by our friendly ftp-team. Can we schedule binNMUs for netexpect, or does it require any source changes? About the security concerns, as far as I can see, updating wireshark to 1.8 in Wheezy would not buy us more than a year. AFAIK, the security One year is practically one third of Wheezy support time. This is huge. If we assume a cycle of recent lengths for wheezy+1, it also leaves us with likely one third of wheezy's lifetime where upstream won't be supporting 1.8. Note that 1.8.0~rc1-1 has been uploaded to the NEW queue weeks ago... [1] In that case, I'm not entirely sure why the transition bug wasn't raised weeks ago... nor what the logic is behind not having uploaded the release version already, given that the upstream schedule claims it was released a week ago. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679041: transition: wireshark
Hi, On 26/06/2012 00:10, Bálint Réczey wrote: I'd like to upload the latest version of wireshark to unstable. Updating from 1.6.8 to 1.8.0 brings a new ABI with a new soname for all the libs. Having Wireshark 1.8.x in Wheezy is important because upstream's support for 1.6.x ends on June 7, 2013 [1] and Wireshark needs regular security updates. Thanks for letting us know. Unfortunately, we think that this update came a tad late because we are that near to freeze and the update seems quite large. About the security concerns, as far as I can see, updating wireshark to 1.8 in Wheezy would not buy us more than a year. AFAIK, the security team didn't raise any concerns about this package in the past. Are there any other concerns with the 1.6.8 release besides the security aspect? Regards, -- Mehdi Dogguy مهدي الدڤي http://dogguy.org/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679041: transition: wireshark
2012/6/26 Mehdi Dogguy me...@dogguy.org: Hi, On 26/06/2012 00:10, Bálint Réczey wrote: I'd like to upload the latest version of wireshark to unstable. Updating from 1.6.8 to 1.8.0 brings a new ABI with a new soname for all the libs. Having Wireshark 1.8.x in Wheezy is important because upstream's support for 1.6.x ends on June 7, 2013 [1] and Wireshark needs regular security updates. Thanks for letting us know. Unfortunately, we think that this update came a tad late because we are that near to freeze and the update seems quite large. This is why i don't want to risk backporting security fixes from 1.8.x to 1.6.x. About the security concerns, as far as I can see, updating wireshark to 1.8 in Wheezy would not buy us more than a year. AFAIK, the security One year is practically one third of Wheezy support time. This is huge. team didn't raise any concerns about this package in the past. Are there any other concerns with the 1.6.8 release besides the security aspect? The security aspect is the most important one. Supporting 1.6.x put too much load on the single maintainer of wireshark. Another important factor is that we may want to ship reasonably fresh software to users. Note that 1.8.0~rc1-1 has been uploaded to the NEW queue weeks ago... [1] Please let the package in. Thanks, Balint [1]: http://ftp-master.debian.org/new/wireshark_1.8.0~rc1-1.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679041: transition: wireshark
❦ 26 juin 2012 18:26 CEST, Mehdi Dogguy me...@dogguy.org : About the security concerns, as far as I can see, updating wireshark to 1.8 in Wheezy would not buy us more than a year. But after one year, it will be easier to backport fixes to 1.8 than to backport them to 1.6. -- /* Identify the flock of penguins. */ 2.2.16 /usr/src/linux/arch/alpha/kernel/setup.c pgpeS6u8ZHKg3.pgp Description: PGP signature
Bug#679041: transition: wireshark
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear Release Team, I'd like to upload the latest version of wireshark to unstable. Updating from 1.6.8 to 1.8.0 brings a new ABI with a new soname for all the libs. Having Wireshark 1.8.x in Wheezy is important because upstream's support for 1.6.x ends on June 7, 2013 [1] and Wireshark needs regular security updates. The only source package affected is netexpect, for which I am in contact with its maintainer, Eloy Paris. I have uploaded wireshark 1.8.0~rc1 to the NEW queue through a sponsor and plan uploading 1.8.0 to unstable right after RC1 gets accepted. Ben file: title = wireshark; is_affected = .build-depends ~ /libwireshark-dev|libwsutil-dev|libwiretap-dev/; is_good = .depends ~ /libwireshark2|libwsutil2|libwiretap2/; is_pad = .depends ~ /libwireshark1|libwsutil1|libwiretap1/; [1]: http://wiki.wireshark.org/Development/LifeCycle -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org