On 19/01/13 21:52, Salvatore Bonaccorso wrote: > Hi Daniel, hi all > > Ok let's try to reassume (I feel like there is some confusion ;-)) > > Squeeze currently has ganglia 3.1.7-1. So the updated package needs to > be based on this. Usually introducing a new upstream version is not > accepted for security updates (an exception is e.g. mysql, where it > seems not other possible). So this should/will be 3.1.7-1+squeeze1 for > a Squeeze update.
The upstream 3.1 branch only receives updates of the type that qualify for the stable branch in Debian (e.g. security updates, fixes for seg faults). The 3.1.8 upstream release only differs from 3.1.7 with the addition of the fix for this issue In this instance, upstream even created a 3.1.8 branch off the 3.1 branch, just to isolate the fix: https://github.com/ganglia/monitor-core/commits/release/3.1.8 > Adjusting the Subject of this mail to avoid further confusions. > > The source diff between 3.1.7 and 3.1.8 is somehow huge (4.8M, 110 > files changed, 49330 insertions(+), 73094 deletions(-)). > > The isolated fix is only in web/graph.php right? This seems odd, and not what I would expect if I check upstream: git clone g...@github.com:ganglia/monitor-core.git cd ganglia git diff monitor-core-3.1.7 3.1.8 (from that diff, ignore the git2dist and bootstrap changes, those files are not released in the tarballs) Is it possible that dpkg-buildpackage is incorrectly regenerating the tarball, or does squeeze possibly have a modified 3.1.7.orig tarball? I PGP sign the upstream release announcements, so it should be easy to verify. http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg05533.html http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg06329.html > So the upload for stable-security needs only to include the fix to > actually fix CVE-2012-3448, which seems the part discussed. You as > contributor upstream might give some more hints what is actually > needed apart the change in web/graph.php (if there is any). > > p.s.: I'm not trying to hijack your work, but only would like to make > sure that the fix get's into Squeeze for CVE-2012-3448. I agree this needs to be understood, you'll notice from github that georgiou (Fedora maintainer) did the backport onto the branch and then I cut the upstream release. It's good to have multiple people involved in the process to double-check things like this. If we are not sure the fix is correct or complete, it probably needs to be raised on ganglia-dev -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
