Bug#1051474: libreoffice: Please add embeded code copies to embeded-code-copies on security tracker debian.tar.xz/tarballs
On Sun, Sep 10, 2023 at 07:13:37AM +, Bastien Roucariès wrote: > Le dimanche 10 septembre 2023, 05:44:02 UTC Rene Engelhard a écrit : > > severity 1051474 important > > > > thanks > > > > Hi, > > > > Am 08.09.23 um 19:19 schrieb Bastien Roucariès: > > > Source: libreoffice > > > Severity: serious > > > Tags: security > > > Justification: Document embdeded code copy + copyright > > > X-Debbugs-Cc: Debian Security Team > > > > Since when is that serious? It isn't. There have been no complains from > > anyone in the security team in any of the last security updates? > > I have reason to complain security wise Still this isn't an RC bug. Cheers, Moritz
Bug#1051474: libreoffice: Please add embeded code copies to embeded-code-copies on security tracker debian.tar.xz/tarballs
Le dimanche 10 septembre 2023, 05:44:02 UTC Rene Engelhard a écrit : > severity 1051474 important > > thanks > > Hi, > > Am 08.09.23 um 19:19 schrieb Bastien Roucariès: > > Source: libreoffice > > Severity: serious > > Tags: security > > Justification: Document embdeded code copy + copyright > > X-Debbugs-Cc: Debian Security Team > > Since when is that serious? It isn't. There have been no complains from > anyone in the security team in any of the last security updates? I have reason to complain security wise > > (None of which affected any of the internal copies used,) > > The policy says "should". And it it it followed. > > The most stuff isn't used as internal code copies, only the unavoidable > ones is. And TTBOMK the security team DOES know it. Yes I know > > > Could you document that you embded a few tar ball under the security > tracker ? > > You mean I should send MRs to it? Yes I think so > > >Moreover you do not document where you downloaded these file a comment > under > > copyright will be helpful (README.source say how to retrieve it not the > > link to > > get). > > The fetch it manually and put it there. (Which normally would be done > from upstreams build systeem for ALL tarballs, even those not used..) > > (It basically always is https://dev-www.libreoffice.org/src/ (which > mirrors stuff they got from the website): :S I will really prefer that we download from upstream > > Makefile:$(call > fetch_Download_item_unchecked,https://download.documentfoundation.org/libreoffice/src/$(shell > > echo $(gb_LO_VER) | sed -e > "s/\([0-9]*\.[0-9]*\.[0-9]*\).*/\1/"),libreoffice-$(i)-$(gb_LO_VER).tar.xz)) > > > Regards, > > > Rene > > signature.asc Description: This is a digitally signed message part.
Bug#1051474: libreoffice: Please add embeded code copies to embeded-code-copies on security tracker debian.tar.xz/tarballs
severity 1051474 important thanks Hi, Am 08.09.23 um 19:19 schrieb Bastien Roucariès: Source: libreoffice Severity: serious Tags: security Justification: Document embdeded code copy + copyright X-Debbugs-Cc: Debian Security Team Since when is that serious? It isn't. There have been no complains from anyone in the security team in any of the last security updates? (None of which affected any of the internal copies used,) The policy says "should". And it it it followed. The most stuff isn't used as internal code copies, only the unavoidable ones is. And TTBOMK the security team DOES know it. > Could you document that you embded a few tar ball under the security tracker ? You mean I should send MRs to it? >Moreover you do not document where you downloaded these file a comment under copyright will be helpful (README.source say how to retrieve it not the link to get). The fetch it manually and put it there. (Which normally would be done from upstreams build systeem for ALL tarballs, even those not used..) (It basically always is https://dev-www.libreoffice.org/src/ (which mirrors stuff they got from the website): Makefile: $(call fetch_Download_item_unchecked,https://download.documentfoundation.org/libreoffice/src/$(shell echo $(gb_LO_VER) | sed -e "s/\([0-9]*\.[0-9]*\.[0-9]*\).*/\1/"),libreoffice-$(i)-$(gb_LO_VER).tar.xz)) Regards, Rene
Bug#1051474: libreoffice: Please add embeded code copies to embeded-code-copies on security tracker debian.tar.xz/tarballs
Source: libreoffice Severity: serious Tags: security Justification: Document embdeded code copy + copyright X-Debbugs-Cc: Debian Security Team Dear Maintainer, Could you document that you embded a few tar ball under the security tracker ? For oldstable/stable/unstable Version should be documented. Moreover you do not document where you downloaded these file a comment under copyright will be helpful (README.source say how to retrieve it not the link to get). Thanks Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.4.0-3-rt-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
