Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
Hi, On Sonntag, 23. November 2014, Mark Hymers wrote: Anyways, it's now just based on oldstable - I expect this to bite us at some point, but probably better this way than not being able to get security fixes in. ...and it just bit us. Gah. So when I was about to kick of pbuilder for the wheezy tomcat6 update I looked at the .dsc files and saw this: tomcat6_6.0.41-2+squeeze5.dsc tomcat6_6.0.41-2~deb7u1.dsc And realized, this is bad, squeeze-lts would have a higher version than wheezy-security. So tomcat6_6.0.41-2+deb7u1, no, that won't work, still lower version than squeeze-lts. So tomcat6_6.0.41-3~deb7u1 and praying that -3 will go into jessie. (Which is actually the right thing (I think), but still needs some work. (#770769)) And while tomcat6_6.0.41-3~deb7u1 would work regarding squeeze-lts, it will not work for wheezy-security now (AIU), as jessie has a lower version atm. Did I miss something? I'll now proceed with uploading tomcat-native to squeeze-lts and leave the tomcat6|tomcat-native uploads for now... grumble. cheers, Holger, who takes credits for choosing 6.0.41-2+squeeze5 and not 6.0.41-2~deb6u1... hindsight and all that. https://wiki.debian.org/LTS/Development misses instructions for this use case (updating to a new upstream version which is the same as in wheezy) but should probably get some (as soon as we figured out whats proper), so we don't repeat this mistake. For now I'd wish to file a bug so we don't forget but against which package? signature.asc Description: This is a digitally signed message part.
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
Hi, Mark Hymers mhy-8fiuurrzop0dnm+yrof...@public.gmane.org writes: So, basically, for those following along, Holger asked me to make sure that squeeze LTS couldn't end up ahead of stable (wheezy). I therefore added the following version constraints: mhy@franck:~$ dak admin v-c list-suite squeeze-lts squeeze-lts MustBeNewerThan oldstable squeeze-lts Enhances oldstable squeeze-lts MustBeOlderThan stable squeeze-lts MustBeOlderThan proposed-updates This probably means that in some cases (especially those involving new upstream versions), stable security updates will need to hit p-u before the LTS uploads happen. If this is a problem, we should just revoke those parts of the version constraints and leave only the oldstable ones. It even has to be in stable itself, not just in proposed-updates. Which means one has to wait until the next point release... Ansgar -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87fvdaf6im@deep-thought.43-1.org
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
On Sonntag, 23. November 2014, Mark Hymers wrote: This probably means that in some cases (especially those involving new upstream versions), stable security updates will need to hit p-u before the LTS uploads happen. If this is a problem, we should just revoke those parts of the version constraints and leave only the oldstable ones. I still think this makes sense, it was just unconviniend today... signature.asc Description: This is a digitally signed message part.
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
Hi ftpmasters, On Sonntag, 23. November 2014, Ansgar Burchardt wrote: squeeze-lts MustBeNewerThan oldstable squeeze-lts Enhances oldstable squeeze-lts MustBeOlderThan stable squeeze-lts MustBeOlderThan proposed-updates It even has to be in stable itself, not just in proposed-updates. Which means one has to wait until the next point release... *that* I think is undesirable, we want to be able to do updates more often. Adding stable-security as a constraint wont work (as security is using a different dak install), so I guess those two constraints newer than stable+proposed-updates should go for now - until we move LTS to the security archive (if we do so - but I do think thats desirable.) Anyway, could you please remove those two constraints for now again? Holger signature.asc Description: This is a digitally signed message part.
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
On 11/23/2014 04:16 AM, Mark Hymers wrote: On Sun, 23, Nov, 2014 at 10:29:59AM +0100, Holger Levsen spoke thus.. Hi, On Sonntag, 23. November 2014, Debian FTP Masters wrote: Version check failed: Your upload included the source package tomcat6, version 6.0.41-2+squeeze5, however stable already has version 6.0.35-6+deb7u1. Uploads to squeeze-lts must have a lower version than present in stable. so this is due to the changes to dak implemented by Mark Hymers during the MiniDebConf in Cambridge early November. (Mark can you please explain what other changes (relevant to LTS) you did?! So, basically, for those following along, Holger asked me to make sure that squeeze LTS couldn't end up ahead of stable (wheezy). I therefore added the following version constraints: mhy@franck:~$ dak admin v-c list-suite squeeze-lts squeeze-lts MustBeNewerThan oldstable squeeze-lts Enhances oldstable squeeze-lts MustBeOlderThan stable squeeze-lts MustBeOlderThan proposed-updates This probably means that in some cases (especially those involving new upstream versions), stable security updates will need to hit p-u before the LTS uploads happen. If this is a problem, we should just revoke those parts of the version constraints and leave only the oldstable ones. Hi Holger, Thank you for coordinating this effort. I'm not aware of any reason why the squeeze-lts packaging/version of tomcat6 wouldn't also be appropriate for wheezy. An updated tomcat-native package should also be part of the update; building 1.1.31-1 from testing/unstable on wheezy fine. (I just built both of these, the squeeze-lts tomcat6 + tomcat-native 1.1.31-1 on a wheezy chroot and ran them without any issue.) The Java Team is cc:d on this thread. Emmanuel has been in much closer contact with tomcat6 since this effort started, so he may have some input. Synopsis: Updating tomcat6 for squeeze-lts put us in the awkward position of having a newer tomcat in old-stable than in stable; Holger is helping to get this resolved. I am recommending that tomcat-native 1.1.31 accompany any updates to tomcat6 6.0.41. Cheers, tony signature.asc Description: OpenPGP digital signature
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
Hi, security-team, please comment... On Sonntag, 23. November 2014, tony mancill wrote: Synopsis: Updating tomcat6 for squeeze-lts put us in the awkward position of having a newer tomcat in old-stable than in stable; Holger is helping to get this resolved. I am recommending that tomcat-native 1.1.31 accompany any updates to tomcat6 6.0.41. I'm happy to prepare the tomcat-native uploads tomorrow, as well as tomcat6 for wheezy. What version number should I use for wheezy? 6.0.41-2~deb7u1 or 6.0.41-2+deb7u1 or something else? oh, btw: jessie has -2, sid -3, with changes unsuitable for wheezy and targeted at jessie. this needs an unblock request to let -3 migrate to jessie and have the binaries removed from sid first... anybody doing this? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
On Sun, 2014-11-23 at 19:43 +0100, Holger Levsen wrote: oh, btw: jessie has -2, sid -3, with changes unsuitable for wheezy and targeted at jessie. this needs an unblock request to let -3 migrate to jessie and have the binaries removed from sid first... anybody doing this? It needs more than that; from the cruft-report: * package libtomcat6-java in version 6.0.41-2 is no longer built from source [...] - broken Depends: tomcat-maven-plugin: libtomcat-maven-plugin-java [...] * package tomcat6 in version 6.0.41-2 is no longer built from source [...] - broken Depends: biomaj-watcher/contrib: biomaj-watcher guacamole-client: guacamole-tomcat jspwiki/contrib: jspwiki - broken Build-Depends: jspwiki/contrib: tomcat6 * package tomcat6-common in version 6.0.41-2 is no longer built from source [... - broken Build-Depends: tomcat-maven-plugin: tomcat6-common Regards, Adam -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1416769481.28376.7.ca...@adam-barratt.org.uk
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
Hi Adam, On Sonntag, 23. November 2014, Adam D. Barratt wrote: On Sun, 2014-11-23 at 19:43 +0100, Holger Levsen wrote: oh, btw: jessie has -2, sid -3, with changes unsuitable for wheezy and targeted at jessie. this needs an unblock request to let -3 migrate to jessie and have the binaries removed from sid first... anybody doing this? It needs more than that; from the cruft-report: that's the cruft report for which distro? * package libtomcat6-java in version 6.0.41-2 is no longer built from source [...] - broken Depends: tomcat-maven-plugin: libtomcat-maven-plugin-java both are in wheezy * package tomcat6 in version 6.0.41-2 is no longer built from source [...] - broken Depends: biomaj-watcher/contrib: biomaj-watcher guacamole-client: guacamole-tomcat both are in wheezy jspwiki/contrib: jspwiki jspwiki I can only find in unstable... - broken Build-Depends: jspwiki/contrib: tomcat6 * package tomcat6-common in version 6.0.41-2 is no longer built from source [... - broken Build-Depends: tomcat-maven-plugin: tomcat6-common see above, in wheezy /me cannot believe adsb might have done a mistake - have we been hacked? ;-) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
On Sun, 2014-11-23 at 21:03 +0100, Holger Levsen wrote: Hi Adam, On Sonntag, 23. November 2014, Adam D. Barratt wrote: On Sun, 2014-11-23 at 19:43 +0100, Holger Levsen wrote: oh, btw: jessie has -2, sid -3, with changes unsuitable for wheezy and targeted at jessie. this needs an unblock request to let -3 migrate to jessie and have the binaries removed from sid first... anybody doing this? It needs more than that; from the cruft-report: that's the cruft report for which distro? For unstable, to go with your needs ... the binaries removed from sid. Those are the things blocking ftp-master from semi-automagically removing them. Regards, Adam -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1416773124.28376.9.ca...@adam-barratt.org.uk
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
Hi Adam, On Sonntag, 23. November 2014, Adam D. Barratt wrote: It needs more than that; from the cruft-report: that's the cruft report for which distro? For unstable, to go with your needs ... ah, doh, rather obviously you're (already) looking at this from the jessie angle (too) :) /me just was thinking about blockers for the wheezy upload (yet) :) the binaries removed from sid. Those are the things blocking ftp-master from semi-automagically removing them. right. somebody needs to do more somethings ;) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED
On 11/23/2014 12:03 PM, Holger Levsen wrote: Hi Adam, On Sonntag, 23. November 2014, Adam D. Barratt wrote: On Sun, 2014-11-23 at 19:43 +0100, Holger Levsen wrote: oh, btw: jessie has -2, sid -3, with changes unsuitable for wheezy and targeted at jessie. this needs an unblock request to let -3 migrate to jessie and have the binaries removed from sid first... anybody doing this? It needs more than that; from the cruft-report: that's the cruft report for which distro? * package libtomcat6-java in version 6.0.41-2 is no longer built from source [...] - broken Depends: tomcat-maven-plugin: libtomcat-maven-plugin-java both are in wheezy * package tomcat6 in version 6.0.41-2 is no longer built from source [...] - broken Depends: biomaj-watcher/contrib: biomaj-watcher guacamole-client: guacamole-tomcat both are in wheezy jspwiki/contrib: jspwiki jspwiki I can only find in unstable... - broken Build-Depends: jspwiki/contrib: tomcat6 * package tomcat6-common in version 6.0.41-2 is no longer built from source [... - broken Build-Depends: tomcat-maven-plugin: tomcat6-common see above, in wheezy /me cannot believe adsb might have done a mistake - have we been hacked? ;-) The cruft report for unstable will look *very* different due to 6.0.41-3 being a *radically* different package. tomcat6 (6.0.41-3) unstable; urgency=medium * Build only the libservlet2.5-java and libservlet2.5-java-doc packages. Tomcat 6 will not be supported in Jessie, but the Servlet API is still useful as a build dependency for other packages. * Standards-Version updated to 3.9.6 (no changes) -- Emmanuel Bourg ebo...@apache.org Wed, 22 Oct 2014 09:48:54 +0200 The decision/requirement to remove tomcat6 from jessie has been requested by the Security team for quite a while, and the 6.0.41-3 source upload effectively does this by just building libservlet2.5-java (without which we would have many packages with missing r-deps). I not sure I understand all of the ramifications of the statement I'm about to make, but for the purposes of squeeze and wheezy, we need to consider 6.0.41-2 as the last version of a complete tomcat6 source package. tony signature.asc Description: OpenPGP digital signature