Bug#725968: pu: package libvirt/0.9.12.2-1
Hi, Guido Günther wrote (10 Oct 2013 15:22:45 GMT) : On Thu, Oct 10, 2013 at 03:38:33PM +0200, Cyril Brulebois wrote: [..snip..] For the record, we tend to prefer having debdiff (or at least debian changelogs) posted to the BTS. Right now I have absolutely no idea which bugs you're trying to get fixed, and whether fixes landed in testing or unstable. libvirt (0.9.12.2-1) wheezy-proposed-updates; urgency=low * [77a7135] Adjust gbp.conf for Wheezy point releases * [b457e3f] New upstream version 0.9.12.1 * [ae6e265] New upstream version 0.9.12.2 * [2d07b5c] Drop patches fixed upstream. Include-stdint.h-for-uint32_t.patch Revert-rpc-Discard-non-blocking-calls-only-when-nece.patch fix-leak-virStorageBackendLogicalMakeVol.patch qemu-Add-support-for-no-user-config.patch qemu-Fix-off-by-one-error-while-unescaping-monitor-s.patch rpc-Fix-crash-on-error-paths-of-message-dispatching.patch security/CVE-2012-3445.patch security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch security/security-Fix-libvirtd-crash-possibility.patch upstream/Fix-libvirtd-crash-when-destroying-a-domain-with-att.patch upstream/Fix-race-condition-when-destroying-guests.patch -- Guido Günther a...@sigxcpu.org Tue, 01 Oct 2013 21:45:08 +0200 This also fixes CVE-2013-4311 once we have a fixed polkit in wheezy. But seriously, a 15MB diff is nowhere reviewable. Even if most of it is automake bootstrap and patches moving around. The patches (outside debian/) were all reviewed by upstream and mostly incorporate the diff Debian was carrying back upstream so we can release further updates from that branch. I suspect that the changelog snippet that Guido sent does not address what Cyril was asking (more specifically: which bugs you're trying to get fixed, and whether fixes landed in testing or unstable). On the positive side, I can see one thing that could possibly help: a diff between the current version in stable, with the Debian patches applied, and the proposed update. It would automatically filter out the move of Debian-specific patches to the upstream source, and hopefully it will be of a size that the release team is happy to review. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/85y529nsm8@boum.org
Bug#725968: pu: package libvirt/0.9.12.2-1
On Tue, Oct 15, 2013 at 06:52:57PM +0200, Michael Biebl wrote: Hi, Am 10.10.2013 17:22, schrieb Guido Günther: On Thu, Oct 10, 2013 at 03:38:33PM +0200, Cyril Brulebois wrote: [..snip..] For the record, we tend to prefer having debdiff (or at least debian changelogs) posted to the BTS. Right now I have absolutely no idea which bugs you're trying to get fixed, and whether fixes landed in testing or unstable. libvirt (0.9.12.2-1) wheezy-proposed-updates; urgency=low * [77a7135] Adjust gbp.conf for Wheezy point releases * [b457e3f] New upstream version 0.9.12.1 * [ae6e265] New upstream version 0.9.12.2 * [2d07b5c] Drop patches fixed upstream. Include-stdint.h-for-uint32_t.patch Revert-rpc-Discard-non-blocking-calls-only-when-nece.patch fix-leak-virStorageBackendLogicalMakeVol.patch qemu-Add-support-for-no-user-config.patch qemu-Fix-off-by-one-error-while-unescaping-monitor-s.patch rpc-Fix-crash-on-error-paths-of-message-dispatching.patch security/CVE-2012-3445.patch security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch security/security-Fix-libvirtd-crash-possibility.patch upstream/Fix-libvirtd-crash-when-destroying-a-domain-with-att.patch upstream/Fix-race-condition-when-destroying-guests.patch -- Guido Günther a...@sigxcpu.org Tue, 01 Oct 2013 21:45:08 +0200 This also fixes CVE-2013-4311 once we have a fixed polkit in wheezy. I talked to jmm about policykit-1 and CVE-2013-4288 on IRC today. The result wasn't quite conclusive yet. I think jmm doesn't consider the issue in policykit-1 important enough for a stable-security upload but I forgot to ask him if he nonetheless wants a stable upload for this issue. So I'd like a clear advice from the security what to do about CVE-2013-4288 (Bug: #723717) in policykit-1/stable: a/ Fix via stable-security b/ Fix via stabe c/ Ignore (not important enough). I'm happy to do either a/ or b/ if the security team wants me to. If c/, this means libvirt would have to remove that patch for its stable upload If we are going to fix policykit-1 in stable, libvirt should have a versioned dep on policykit-1, to ensure it gets the correct version of pkcheck. I suggest we go ahead with b. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131016151947.gb25...@inutil.org
Bug#725968: pu: package libvirt/0.9.12.2-1
Hi, Am 10.10.2013 17:22, schrieb Guido Günther: On Thu, Oct 10, 2013 at 03:38:33PM +0200, Cyril Brulebois wrote: [..snip..] For the record, we tend to prefer having debdiff (or at least debian changelogs) posted to the BTS. Right now I have absolutely no idea which bugs you're trying to get fixed, and whether fixes landed in testing or unstable. libvirt (0.9.12.2-1) wheezy-proposed-updates; urgency=low * [77a7135] Adjust gbp.conf for Wheezy point releases * [b457e3f] New upstream version 0.9.12.1 * [ae6e265] New upstream version 0.9.12.2 * [2d07b5c] Drop patches fixed upstream. Include-stdint.h-for-uint32_t.patch Revert-rpc-Discard-non-blocking-calls-only-when-nece.patch fix-leak-virStorageBackendLogicalMakeVol.patch qemu-Add-support-for-no-user-config.patch qemu-Fix-off-by-one-error-while-unescaping-monitor-s.patch rpc-Fix-crash-on-error-paths-of-message-dispatching.patch security/CVE-2012-3445.patch security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch security/security-Fix-libvirtd-crash-possibility.patch upstream/Fix-libvirtd-crash-when-destroying-a-domain-with-att.patch upstream/Fix-race-condition-when-destroying-guests.patch -- Guido Günther a...@sigxcpu.org Tue, 01 Oct 2013 21:45:08 +0200 This also fixes CVE-2013-4311 once we have a fixed polkit in wheezy. I talked to jmm about policykit-1 and CVE-2013-4288 on IRC today. The result wasn't quite conclusive yet. I think jmm doesn't consider the issue in policykit-1 important enough for a stable-security upload but I forgot to ask him if he nonetheless wants a stable upload for this issue. So I'd like a clear advice from the security what to do about CVE-2013-4288 (Bug: #723717) in policykit-1/stable: a/ Fix via stable-security b/ Fix via stabe c/ Ignore (not important enough). I'm happy to do either a/ or b/ if the security team wants me to. If c/, this means libvirt would have to remove that patch for its stable upload If we are going to fix policykit-1 in stable, libvirt should have a versioned dep on policykit-1, to ensure it gets the correct version of pkcheck. Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#725968: pu: package libvirt/0.9.12.2-1
On Tue, Oct 15, 2013 at 06:52:57PM +0200, Michael Biebl wrote: [..snip..] So I'd like a clear advice from the security what to do about CVE-2013-4288 (Bug: #723717) in policykit-1/stable: a/ Fix via stable-security b/ Fix via stabe c/ Ignore (not important enough). I'm happy to do either a/ or b/ if the security team wants me to. If c/, this means libvirt would have to remove that patch for its stable upload If we are going to fix policykit-1 in stable, libvirt should have a versioned dep on policykit-1, to ensure it gets the correct version of pkcheck. Just as a data point. Libvirt can keep the patches but when build against a unpatched polkit they would be disabled. Cheers and thanks for following up on this! -- Guido Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131015184521.ga23...@bogon.sigxcpu.org
Bug#725968: pu: package libvirt/0.9.12.2-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu Hi, to ease the porting of libvirt patches for Debian's stable branch (0.9.12) we created upstream a v0.9.12-maint branch containing what we (as in Debian) cherry picked from upstream already plus newer security fixes: http://libvirt.org/git/?p=libvirt.git;a=shortlog;h=refs/heads/v0.9.12-maint Any chance we could switch to 0.9.12.2 for the next (or after that) point release? This also contains the somewhat complex backport for CVE-2013-4311 [1]. Since the branch is for critical (mostly security and crashes) fixes only it should be a good fit for Debian stable releases. The huge diff[2] mostly stems from a new automake bootstrap and most of our debian/patches moving into the actual release. I'm testing the release tarballs with libvirt-tck so from a stability stand point we should be even better off than what we currently ship. So o.k. to upload 0.9.12.2-1 to p-u? Cheers, -- Guido [1] for this to take effect we need a patched polkit first [2] http://honk.sigxcpu.org/projects/libvirt/debian/0.9.12.2-1.diff -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131010130512.ga30...@bogon.sigxcpu.org
Bug#725968: pu: package libvirt/0.9.12.2-1
Control: tag -1 wheezy Guido Günther a...@sigxcpu.org (2013-10-10): Any chance we could switch to 0.9.12.2 for the next (or after that) point release? Certainly not for the next point release, due this weekend, and frozen past weekend. This also contains the somewhat complex backport for CVE-2013-4311 [1]. Since the branch is for critical (mostly security and crashes) fixes only it should be a good fit for Debian stable releases. The huge diff[2] mostly stems from a new automake bootstrap and most of our debian/patches moving into the actual release. I'm testing the release tarballs with libvirt-tck so from a stability stand point we should be even better off than what we currently ship. So o.k. to upload 0.9.12.2-1 to p-u? Cheers, -- Guido [1] for this to take effect we need a patched polkit first [2] http://honk.sigxcpu.org/projects/libvirt/debian/0.9.12.2-1.diff For the record, we tend to prefer having debdiff (or at least debian changelogs) posted to the BTS. Right now I have absolutely no idea which bugs you're trying to get fixed, and whether fixes landed in testing or unstable. But seriously, a 15MB diff is nowhere reviewable. Even if most of it is automake bootstrap and patches moving around. Other team members' mileage may vary… Mraw, KiBi. signature.asc Description: Digital signature
Processed: Re: Bug#725968: pu: package libvirt/0.9.12.2-1
Processing control commands: tag -1 wheezy Bug #725968 [release.debian.org] pu: package libvirt/0.9.12.2-1 Added tag(s) wheezy. -- 725968: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725968 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b725968.138141231920788.transcr...@bugs.debian.org
Bug#725968: pu: package libvirt/0.9.12.2-1
On Thu, Oct 10, 2013 at 03:38:33PM +0200, Cyril Brulebois wrote: [..snip..] For the record, we tend to prefer having debdiff (or at least debian changelogs) posted to the BTS. Right now I have absolutely no idea which bugs you're trying to get fixed, and whether fixes landed in testing or unstable. libvirt (0.9.12.2-1) wheezy-proposed-updates; urgency=low * [77a7135] Adjust gbp.conf for Wheezy point releases * [b457e3f] New upstream version 0.9.12.1 * [ae6e265] New upstream version 0.9.12.2 * [2d07b5c] Drop patches fixed upstream. Include-stdint.h-for-uint32_t.patch Revert-rpc-Discard-non-blocking-calls-only-when-nece.patch fix-leak-virStorageBackendLogicalMakeVol.patch qemu-Add-support-for-no-user-config.patch qemu-Fix-off-by-one-error-while-unescaping-monitor-s.patch rpc-Fix-crash-on-error-paths-of-message-dispatching.patch security/CVE-2012-3445.patch security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch security/security-Fix-libvirtd-crash-possibility.patch upstream/Fix-libvirtd-crash-when-destroying-a-domain-with-att.patch upstream/Fix-race-condition-when-destroying-guests.patch -- Guido Günther a...@sigxcpu.org Tue, 01 Oct 2013 21:45:08 +0200 This also fixes CVE-2013-4311 once we have a fixed polkit in wheezy. But seriously, a 15MB diff is nowhere reviewable. Even if most of it is automake bootstrap and patches moving around. The patches (outside debian/) were all reviewed by upstream and mostly incorporate the diff Debian was carrying back upstream so we can release further updates from that branch. Cheers, -- Guido Other team members' mileage may vary… Mraw, KiBi. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131010152245.ga...@bogon.sigxcpu.org