Re: security updates introducing breakage
Stefan Fritsch writes (Re: security updates introducing breakage): On Thu, 20 Jan 2011, Ian Jackson wrote: An alternative would be to look for bugs which are fixed in the previous version but found in the update, and ask submitters of regressions to mark the bug as fixed in the previous working version. This probably also amounts to reportbug asking if the bug is a regression and then marking the bug as such. If this can be done without the submitter having to know about the BTS's version tracking, this would be ok, too. I guess reportbug could ask you Do you know whether this ever worked properly on this computer? If so, when is the last time you are sure it worked? and then use the packaging system logs to find the version number of the package at that point in time. If the quality of this data from submitters was any good it might well help the maintainers in general as the maintainer would get to know probably introduced between X and Y. Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/19769.28172.681572.181...@chiark.greenend.org.uk
Re: security updates introducing breakage
On Thu, January 20, 2011 03:18, Paul Wise wrote: On Thu, Jan 20, 2011 at 10:59 AM, Brian May br...@microcomaustralia.com.au wrote: What is policy when security updates for stable introduce new regressions in software that weren't there before? Can these get fixed in stable? If a stable security update contained a regression, usually that is fixed with an update in the stable security archive. Please ping the maintainer and CC the security team about this. You will also want to unarchive the bug so that it can be closed again. Indeed, if an update via stable-security introduces regressions then these will usually be fixed via a further upload to stable-security. In this case, although the update was security related, it was actually made via proposed-updates as part of the 5.0.5 point release. Much the same applies in cases such as this, however. Alerting the maintainer should be the first step, with a CC to the Release Team being appreciated. I also wonder why the security team didn't pick this up, I guess they don't have any automatic tracking of bugs filed against versions they uploaded. I can't speak for the security team, but it's non-trivial for the Release Team to track all bugs filed against the version of a package in lenny and then determine whether the problem could have been introduced in a stable update. There's some great ongoing work to help ensure that RC bugs are correctly tagged and versionned to indicate whether they affect stable releases, and to help get them fixed where it's been determined that they do. For lower severity bugs, we do very much rely on maintainers and other interested parties bringing the issue to our attention. Once we're aware of the problem we're more than happy to get it fixed via a future point release; as with any such update, minimal, targetted and well tested patches are appreciated. Regards, Adam -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/9ed67fdb1a765f1a4a2a3a5cf71c58d5.squir...@adsl.funky-badger.org
Re: security updates introducing breakage
On Thu, 20 Jan 2011, Adam D. Barratt wrote: On Thu, January 20, 2011 03:18, Paul Wise wrote: On Thu, Jan 20, 2011 at 10:59 AM, Brian May br...@microcomaustralia.com.au wrote: What is policy when security updates for stable introduce new regressions in software that weren't there before? Can these get fixed in stable? If a stable security update contained a regression, usually that is fixed with an update in the stable security archive. Please ping the maintainer and CC the security team about this. You will also want to unarchive the bug so that it can be closed again. Indeed, if an update via stable-security introduces regressions then these will usually be fixed via a further upload to stable-security. In this case, although the update was security related, it was actually made via proposed-updates as part of the 5.0.5 point release. Much the same applies in cases such as this, however. Alerting the maintainer should be the first step, with a CC to the Release Team being appreciated. I also wonder why the security team didn't pick this up, I guess they don't have any automatic tracking of bugs filed against versions they uploaded. I can't speak for the security team, but it's non-trivial for the Release Team to track all bugs filed against the version of a package in lenny and then determine whether the problem could have been introduced in a stable update. Ack. There is no automatic way the security team is notified of such bugs. Please CC us in such cases. Cheers, Stefan -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.1.10.1101202026550.13...@eru.sfritsch.de
Re: security updates introducing breakage
On Thu, 20 Jan 2011, Ian Jackson wrote: Stefan Fritsch writes (Re: security updates introducing breakage): Ack. There is no automatic way the security team is notified of such bugs. Please CC us in such cases. Would it be worth defining a [user]tag of some kind that would allow this kind of thing to be dealt automatically ? If reportbug asked if the bug was a regression introduced in a security update or stable point update, and then CCed the relevant teams, that would be nice, IMHO. An alternative would be to look for bugs which are fixed in the previous version but found in the update, and ask submitters of regressions to mark the bug as fixed in the previous working version. This probably also amounts to reportbug asking if the bug is a regression and then marking the bug as such. If this can be done without the submitter having to know about the BTS's version tracking, this would be ok, too. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.1.10.1101202034510.13...@eru.sfritsch.de
Re: security updates introducing breakage
Stefan Fritsch writes (Re: security updates introducing breakage): Ack. There is no automatic way the security team is notified of such bugs. Please CC us in such cases. Would it be worth defining a [user]tag of some kind that would allow this kind of thing to be dealt automatically ? An alternative would be to look for bugs which are fixed in the previous version but found in the update, and ask submitters of regressions to mark the bug as fixed in the previous working version. Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/19768.36355.685671.574...@chiark.greenend.org.uk
security updates introducing breakage
Hello, What is policy when security updates for stable introduce new regressions in software that weren't there before? Can these get fixed in stable? e.g. I have had somebody complain to me that this bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587702 which was introduced into stable through a security update, has been fixed in unstable/testing, but doesn't seem to be fixed in stable? What is the recommended way of querying issues like this? The bug in question is archived and closed because it is fixed in unstable, but no attempt has been made to fix the package in stable. So users are forced to install the non-security updated version to work around this. Thanks. -- Brian May br...@microcomaustralia.com.au -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTi=hbq4nzglm4ak_vtl_6tbpjo15zy5sg0rch...@mail.gmail.com
Re: security updates introducing breakage
On Thu, Jan 20, 2011 at 10:59 AM, Brian May br...@microcomaustralia.com.au wrote: What is policy when security updates for stable introduce new regressions in software that weren't there before? Can these get fixed in stable? If a stable security update contained a regression, usually that is fixed with an update in the stable security archive. Please ping the maintainer and CC the security team about this. You will also want to unarchive the bug so that it can be closed again. I also wonder why the security team didn't pick this up, I guess they don't have any automatic tracking of bugs filed against versions they uploaded. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTi=97ga+uvemkftee7unc5sx5ruwdu9-2h9qb...@mail.gmail.com