Bug#910610: stretch-pu: package dnsmasq/2.76-5+deb9u1
El 09/10/18 a las 19:24, Adam D. Barratt escribió: > On Tue, 2018-10-09 at 19:26 +0200, Santiago Ruano Rincón wrote: > > El 09/10/18 a las 16:34, Adam D. Barratt escribió: > > > On 2018-10-09 13:39, Santiago Ruano Rincón wrote: > > > > El 08/10/18 a las 20:02, Adam D. Barratt escribió: > > > > > Please go ahead. > > > > > > > > Thanks! > > > > > > Apologies for having missed it originally, but > > > > > > +dnsmasq (2.76-5+deb9u1.1) stretch; urgency=medium > > > > > > that should simply be "2.76-5+deb9u2". The number after the "u" is > > > expected > > > to be an integer, and stable updates don't require NMU versioning. > > > (It's > > > often the case that the "usual" maintainer and the uploader of a > > > stable > > > update are different.) > > > > Ah, sorry! I didn't realize that (and I'll maybe have to report a bug > > against lintian). May I upload again? > > Yes, no problem. I'll sort out rejecting the earlier upload. > > > Just fixing the version number in the same changelog section is OK? > > Well, and rebuilding. ;-) But yes. Done! I hope it's OK this time. Thanks, -- Santiago signature.asc Description: PGP signature
Bug#910610: stretch-pu: package dnsmasq/2.76-5+deb9u1
On Tue, 2018-10-09 at 19:26 +0200, Santiago Ruano Rincón wrote: > El 09/10/18 a las 16:34, Adam D. Barratt escribió: > > On 2018-10-09 13:39, Santiago Ruano Rincón wrote: > > > El 08/10/18 a las 20:02, Adam D. Barratt escribió: > > > > Please go ahead. > > > > > > Thanks! > > > > Apologies for having missed it originally, but > > > > +dnsmasq (2.76-5+deb9u1.1) stretch; urgency=medium > > > > that should simply be "2.76-5+deb9u2". The number after the "u" is > > expected > > to be an integer, and stable updates don't require NMU versioning. > > (It's > > often the case that the "usual" maintainer and the uploader of a > > stable > > update are different.) > > Ah, sorry! I didn't realize that (and I'll maybe have to report a bug > against lintian). May I upload again? Yes, no problem. I'll sort out rejecting the earlier upload. > Just fixing the version number in the same changelog section is OK? Well, and rebuilding. ;-) But yes. Regards, Adam
Bug#910610: stretch-pu: package dnsmasq/2.76-5+deb9u1
El 09/10/18 a las 16:34, Adam D. Barratt escribió: > On 2018-10-09 13:39, Santiago Ruano Rincón wrote: > > El 08/10/18 a las 20:02, Adam D. Barratt escribió: > > > Please go ahead. > > > > Thanks! > > Apologies for having missed it originally, but > > +dnsmasq (2.76-5+deb9u1.1) stretch; urgency=medium > > that should simply be "2.76-5+deb9u2". The number after the "u" is expected > to be an integer, and stable updates don't require NMU versioning. (It's > often the case that the "usual" maintainer and the uploader of a stable > update are different.) Ah, sorry! I didn't realize that (and I'll maybe have to report a bug against lintian). May I upload again? Just fixing the version number in the same changelog section is OK? Thanks, -- Santiago signature.asc Description: PGP signature
Bug#907887: Bug#910610: stretch-pu: package dnsmasq/2.76-5+deb9u1
On 2018-10-09 13:39, Santiago Ruano Rincón wrote: El 08/10/18 a las 20:02, Adam D. Barratt escribió: Please go ahead. Thanks! Apologies for having missed it originally, but +dnsmasq (2.76-5+deb9u1.1) stretch; urgency=medium that should simply be "2.76-5+deb9u2". The number after the "u" is expected to be an integer, and stable updates don't require NMU versioning. (It's often the case that the "usual" maintainer and the uploader of a stable update are different.) Regards, Adam
Bug#907887: Bug#910610: stretch-pu: package dnsmasq/2.76-5+deb9u1
El 08/10/18 a las 20:02, Adam D. Barratt escribió: > Control: severity -1 normal > Control: tags -1 + confirmed > > On Mon, 2018-10-08 at 19:35 +0200, Santiago Ruano Rincón wrote: > > Package: release.debian.org > > Severity: important > > p-u requests are always "normal". > > > I'd like to propose the attached dnsmasq NMU to update the DNSSEC > > trust anchor shipped with the package, to the forthcoming KSK-2017, > > whose rollover will be happen next Thursday (2018-10-11). Please see > > #907887: > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907887 > > > > While I have no feedback from Simon (in CC, and I hope he's doing > > well), I think this upload is important to prevent issues in non- > > default scenarios, where dnsmasq is running with DNSSEC enabled and > > relying on the trust anchors file included in dnsmasq-base. > > I assume you mean "and *not* relying on"? Not exactly, I wasn't clear actually. Users have to manually enable DNSSEC in dnsmasq, and they need to let dnsmasq know where or how to find the trust anchors. E.g. the trust-anchors.conf shipped file, or by installing the dns-root-data package. > > Please go ahead. Thanks! -- Santiago signature.asc Description: PGP signature
Bug#910610: stretch-pu: package dnsmasq/2.76-5+deb9u1
Control: severity -1 normal Control: tags -1 + confirmed On Mon, 2018-10-08 at 19:35 +0200, Santiago Ruano Rincón wrote: > Package: release.debian.org > Severity: important p-u requests are always "normal". > I'd like to propose the attached dnsmasq NMU to update the DNSSEC > trust anchor shipped with the package, to the forthcoming KSK-2017, > whose rollover will be happen next Thursday (2018-10-11). Please see > #907887: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907887 > > While I have no feedback from Simon (in CC, and I hope he's doing > well), I think this upload is important to prevent issues in non- > default scenarios, where dnsmasq is running with DNSSEC enabled and > relying on the trust anchors file included in dnsmasq-base. I assume you mean "and *not* relying on"? Please go ahead. Regards, Adam
Bug#910610: stretch-pu: package dnsmasq/2.76-5+deb9u1
Package: release.debian.org Severity: important Tags: stretch User: release.debian@packages.debian.org Usertags: pu Dear stable release managers, I'd like to propose the attached dnsmasq NMU to update the DNSSEC trust anchor shipped with the package, to the forthcoming KSK-2017, whose rollover will be happen next Thursday (2018-10-11). Please see #907887: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907887 While I have no feedback from Simon (in CC, and I hope he's doing well), I think this upload is important to prevent issues in non-default scenarios, where dnsmasq is running with DNSSEC enabled and relying on the trust anchors file included in dnsmasq-base. May I go ahead? Cheers, -- Santiago diff -u dnsmasq-2.76/debian/changelog dnsmasq-2.76/debian/changelog --- dnsmasq-2.76/debian/changelog +++ dnsmasq-2.76/debian/changelog @@ -1,3 +1,11 @@ +dnsmasq (2.76-5+deb9u1.1) stretch; urgency=medium + + * Non-maintainer upload. + * trust-anchors.conf: include latest DNS trust anchor KSK-2017. +(Closes: #907887) + + -- Santiago Ruano Rincón Fri, 21 Sep 2018 17:06:18 +0200 + dnsmasq (2.76-5+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the Security Team. only in patch2: unchanged: --- dnsmasq-2.76.orig/trust-anchors.conf +++ dnsmasq-2.76/trust-anchors.conf @@ -1,9 +1,10 @@ -# The root DNSSEC trust anchor, valid as at 30/01/2014 +# The root DNSSEC trust anchor, valid as at 10/02/2017 # Note that this is a DS record (ie a hash of the root Zone Signing Key) # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 +trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D signature.asc Description: PGP signature
