Bug#833909: RFS: xml-security-c/1.7.3-3~bpo7+1 [BPO]
Gianfranco Costamagna writes: > Hi Ferenc and Etienne, > >>> It'd probably make sense to start with a jessie backport, where >>> this change is necessary, then branch off the wheezy backport from >>> that, and do the PKG_INSTALLDIR change only. > > fully agree > (do you mean, "the revert is necessary", right?) Right. >> Thank you Gianfranco and Ferenc for your inputs. I'll redo this as a >> jessie backport first. > > so, Ferenc, if you agree I can sponsor as soon as you give me an ack :) > Are you in the -backports ACL? in that case you might be able to upload > by yourself after the first upload in backports-new. Thanks, I'm in the backports ACL and I've become a DD on Wednesday, so I should be able to handle this upload myself. I've never sponsored an upload yet, so we'll see. If it does not work out or on occasions I'm unavailable, your help (both review and upload) will be much appreciated. -- Thanks, Feri
Bug#833909: RFS: xml-security-c/1.7.3-3~bpo7+1 [BPO]
Gianfranco Costamagna writes: > the library has been renamed and conflicting with the non-v5 version, because > of the libstdc++ transition. > > backporting to jessie and wheezy (where the transition didn't happen), means > you have to revert that change, because otherwise the package will be > uninstallable > with all of the reverse dependencies, because of: > > Package: libxml-security-c17v5 > Conflicts: > libxml-security-c17, > Replaces: > libxml-security-c17, > > in this case, oldstable has the library with a different soname (c16), > so I'm not sure if the rename is worth the effort or not, please ask > on -mentors, -devel or wherever you find more appropriate. It'd probably make sense to start with a jessie backport, where this change is necessary, then branch off the wheezy backport from that, and do the PKG_INSTALLDIR change only. > also, can the new patch be added to the package in unstable too? > - * [aba87f7] New patch > Remove-PKG_INSTALLDIR-to-build-with-older-pkg-config.patch In principle it could, but it was added in the latest revision with the very purpose of getting it tested before upstreaming. -- Feri
Bug#833909: RFS: xml-security-c/1.7.3-3~bpo7+1 [BPO]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Thank you very much for your review Gianfranco. :) On 10/08/16 11:31, Gianfranco Costamagna wrote: > 1) really? what about don't care to wheezy anymore? What do you mean? Should backports only be done for jessie now? Here is the backstory: we (SWITCH) are providing Shibboleth packages for Debian and Ubuntu to members of our community (universities and high schools in Switzerland). We chose to support wheezy, jessie, precise, trusty and xenial as you can see in our Shibboleth Service Provider installation guide [1]. To this end, I'm already packaging for all five distributions so why not have Debian benefit from it by contributing backports at the same time? Also, I want our packages to be closer to Debian's to 1) avoid version conflicts 2) reduce the repackaging needed on our end. [1] https://www.switch.ch/aai/guides/sp/installation/ > Did you get in touch with the maintainers? they seems active, one > of them is a DM, and might be able to upload it for you if needed Yes, I'm in touch with Ferenc Wágner. He wasn't able to upload that package yesterday evening. > 2) > > this looks wrong to me. the library has been renamed and > conflicting with the non-v5 version, because of the libstdc++ > transition. > > backporting to jessie and wheezy (where the transition didn't > happen), means you have to revert that change, because otherwise > the package will be uninstallable with all of the reverse > dependencies, because of: Package: libxml-security-c17v5 > > Conflicts: libxml-security-c17, Replaces: libxml-security-c17, Oh good catch! I'll revert the names to c17. > 3) > > also, can the new patch be added to the package in unstable too? - > * [aba87f7] New patch > Remove-PKG_INSTALLDIR-to-build-with-older-pkg-config.patch > > is it a breaking and non-compatible with new pkg-config change? I'll defer to Ferenc on that one. > 4) dpkg-source: warning: failed to verify signature on > /tmp/xml-security-c_1.7.3-3~bpo7+1.dsc > > dpkg-source: error: file /tmp/xml-security-c_1.7.3.orig.tar.gz has > size 909320 instead of expected 897454 > > please use the right orig tarball, thanks. Will do at the next upload. Should I increment the bpo revision for the next upload (bpo7+2)? Cheers, Etienne -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCgAGBQJXqwk3AAoJEDtvu5hdVFPu1foQAJ3IYdbeUfC469j5hIY6kATu 6yec4wIr9T4bnuG5jlsbiEThZFdGjMG30Oy82qyyoYvCq5Y3Wf/XycGRSm4yQj8V jz0Mc67pfUvoHDGTEuo/hq3OBod7iWIYp/O2AL1fhxC3OtYs/E6brMVIlSg9EySp lSETydFiyUzYXMbqQhxXO0fUn3Q7hovEluzcFNOEPVSiCe9WH4Zcl1MXXRpq4dv1 ZJdFyB4m4gjClYTTEzHphZANrzpSB+aPtJNabOeI1gGyTOYgFOXcYqP1BzqwEEA1 uFA8zQbGlkWERJWu9zr9G/sGiiV1cbFn9SG/BH/Xr9Y49TGALotqDxP8XE19c7Q5 YULxhc8AFRWZkxvGgktzfcm8gDIi5kk1PSE5dvFUEwFqHtZA9QBkoZEJ4BhfgAKa U3+qYPDYFkdo0nJ+cGNz8GQkTy/4aVhO2V8wvc5r9rS+AbD3Z5Bll20sKMT/JacA RSe5ih2qqtFXipxYGYgT/FbO4YCoAzaenG37PyiSAGILL9rM/eDjB+LHldMiUqvo TlWfhIr5L5bI8Tz9USdDkm3olaW2Ju4+OWNxr8Hvj1YZ3s3ZU8zVB+J8FwWuehiE TInzXCt7fhbF+ub/jDul8Mgn/G+OKkIiHg9h8pmjJ4pXAshZlCIYRArr+4hFxKcR PfJY+Cror7LT894JUHhm =32aN -END PGP SIGNATURE-
Bug#833909: RFS: xml-security-c/1.7.3-3~bpo7+1 [BPO]
control: owner -1 ! control: tags -1 moreinfo >to wheezy-backports-sloppy as a first step to backporting other 1) really? what about don't care to wheezy anymore? Did you get in touch with the maintainers? they seems active, one of them is a DM, and might be able to upload it for you if needed >libxml-security-c-dev - C++ library for XML Digital Signatures >(development) >libxml-security-c17v5 - C++ library for XML Digital Signatures (runtime) >xml-security-c-utils - C++ library for XML Digital Signatures (utilities >) 2) this looks wrong to me. the library has been renamed and conflicting with the non-v5 version, because of the libstdc++ transition. backporting to jessie and wheezy (where the transition didn't happen), means you have to revert that change, because otherwise the package will be uninstallable with all of the reverse dependencies, because of: Package: libxml-security-c17v5 Conflicts: libxml-security-c17, Replaces: libxml-security-c17, in this case, oldstable has the library with a different soname (c16), so I'm not sure if the rename is worth the effort or not, please ask on -mentors, -devel or wherever you find more appropriate. (I would call it c17 without the v5, to avoid bad installations with apt-pinned packages from Stretch, avoiding runtime failures and segfaults, but I have no strong opinion) 3) also, can the new patch be added to the package in unstable too? - * [aba87f7] New patch Remove-PKG_INSTALLDIR-to-build-with-older-pkg-config.patch is it a breaking and non-compatible with new pkg-config change? 4) dpkg-source: warning: failed to verify signature on /tmp/xml-security-c_1.7.3-3~bpo7+1.dsc dpkg-source: error: file /tmp/xml-security-c_1.7.3.orig.tar.gz has size 909320 instead of expected 897454 please use the right orig tarball, thanks. it should be all for now. cheers, G.
Bug#833909: RFS: xml-security-c/1.7.3-3~bpo7+1 [BPO]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: sponsorship-requests Severity: normal Dear mentors, I am looking for a sponsor for my backport of package "xml-security-c" to wheezy-backports-sloppy as a first step to backporting other Shibboleth packages to wheezy and jessie (see https://qa.debian.org/developer.php?email=pkg-shibboleth-devel%40lists.a lioth.debian.org for a list of Shib packages). * Package name: xml-security-c Version : 1.7.3-3~bpo7+1 Upstream Author : http://santuario.apache.org/team.html * URL : http://santuario.apache.org/cindex.html * License : Apache-2.0 Section : libs It builds those binary packages: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c17v5 - C++ library for XML Digital Signatures (runtime) xml-security-c-utils - C++ library for XML Digital Signatures (utilities ) To access further information about this package, please visit the following URL: https://mentors.debian.net/package/xml-security-c Alternatively, one can download the package with dget using this command : dget -x https://mentors.debian.net/debian/pool/main/x/xml-security-c/xml-securit y-c_1.7.3-3~bpo7+1.dsc More information about xml-security-c can be obtained from http://santuario.apache.org/cindex.html. Changes since the last upload (wheezy 1.6.1-5+deb7u2): xml-security-c (1.7.3-3~bpo7+1) wheezy-backports-sloppy; urgency=medium . [ Etienne Dysli Metref ] * Rebuild for wheezy-backports-sloppy. * [aba87f7] New patch Remove-PKG_INSTALLDIR-to-build-with-older-pkg-config.patch . xml-security-c (1.7.3-3) unstable; urgency=medium . * [dee8abd] New patch Only-add-found-packages-to-the-pkg-config- dependenci.patch . xml-security-c (1.7.3-2) unstable; urgency=medium . * [9af4b2f] New patches fixing GCC-6 FTBFS, warnings and typos (Closes: #811620) * [eb1af76] Update Standards-Version to 3.9.8 (no changes needed) * [e742472] Switch to secure VCS URIs * [894b638] New patch Use-pkg-config-for-Xerces-OpenSSL-and-NSS-and- provid.patch * [64c49b7] New patch We-do-not-use-pthreads-threadtest.cpp-is-Window s- onl.patch * [a5a8a19] The build system now links with the needed libraries only . xml-security-c (1.7.3-1) unstable; urgency=medium . * [df661d6] Check signature in watch file * [b78a045] Add debian/gbp.conf enabling pristine-tar * [ca9476a] Imported Upstream version 1.7.3 * [f8b635d] Delete upstreamed patch "Avoid use of PATH_MAX where possible" * [9d2337f] Switch watch file to check for bzip-compressed archives * [f95b4ef] The default compressor is xz since jessie * [ed19f44] Renaming of the binaries happends via a patch since 4771f62 and 017dc35 * [34dd591] Enable all hardening features * [893eda7] Remove superfluous dh_clean override * [2207b52] Fail package build if any installed file is left out in the future * [62c8d2f] Add myself to Uploaders * [4afa12e] Update Standards-Version to 3.9.6 (no changes needed) * [d338569] Since 2b8a713 we've got proper patch files * [cd68dec] Enable commit ids in gbp dch * [71cc459] Add version number to the manual pages * [e544a7b] Run wrap-and-sort -ast on the package * [cf73c2b] Get rid of patch numbers * [0832cf9] New patch Avoid-forward-incompatibility-warnings-from-Automake.patch * [3099c82] Comment the --as-needed tricks * [e26686c] Update debian/copyright * [3fad239] Add NOTICE.txt to all binary packages * [4eaef76] Incorporate the 1.7.2-3.1 NMU. Thanks to Julien Cristau. . xml-security-c (1.7.2-3.1) unstable; urgency=medium . * Non-maintainer upload. * Rename library packages for g++5 ABI transition (closes: 791323). . xml-security-c (1.7.2-3) unstable; urgency=medium . * Avoid use of PATH_MAX where possible by using getcwd to allocate th e appropriate size string. Fixes FTBFS on GNU/Hurd. Patch from Svan te Signell. (Closes: #735162) * Convert all Debian patches to separate patch files managed via gbp pq. * Update standards version to 3.9.5 (no changes required). . xml-security-c (1.7.2-2) unstable; urgency=low . * Upload to unstable. . xml-security-c (1.7.2-1) experimental; urgency=high . * New upstream release. - The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary cod e execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Fix that heap overflow. (Closes: #714241, CVE-2013-2210) . xml-security-c (1.7.1-1) experimental; urgency=high . * New upstream release. - Fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) - Fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference pro
