Hi Daniel, hi Yves-Alexis In short, [1] looks to be the only change needed for the security update. So the debdiff I posted should be okay. But I will leave it to Yves-Alexis (who is Debian Security Team member) which way to go.
On Sat, Jan 19, 2013 at 10:15:00PM +0100, Daniel Pocock wrote: > On 19/01/13 21:52, Salvatore Bonaccorso wrote: > > Hi Daniel, hi all > > > > Ok let's try to reassume (I feel like there is some confusion ;-)) > > > > Squeeze currently has ganglia 3.1.7-1. So the updated package needs to > > be based on this. Usually introducing a new upstream version is not > > accepted for security updates (an exception is e.g. mysql, where it > > seems not other possible). So this should/will be 3.1.7-1+squeeze1 for > > a Squeeze update. > > The upstream 3.1 branch only receives updates of the type that qualify > for the stable branch in Debian (e.g. security updates, fixes for seg > faults). The 3.1.8 upstream release only differs from 3.1.7 with the > addition of the fix for this issue > > In this instance, upstream even created a 3.1.8 branch off the 3.1 > branch, just to isolate the fix: > > https://github.com/ganglia/monitor-core/commits/release/3.1.8 Ok and indeed this[1] confirms that the isolated fix is the oneliner. Thanks. [1]: https://github.com/ganglia/monitor-core/commit/3404fbfcfad74c4c050578add31ea3a5ec5f0276 > > Adjusting the Subject of this mail to avoid further confusions. > > > > The source diff between 3.1.7 and 3.1.8 is somehow huge (4.8M, 110 > > files changed, 49330 insertions(+), 73094 deletions(-)). > > > > The isolated fix is only in web/graph.php right? > > This seems odd, and not what I would expect if I check upstream: > > git clone g...@github.com:ganglia/monitor-core.git > > cd ganglia > git diff monitor-core-3.1.7 3.1.8 > > (from that diff, ignore the git2dist and bootstrap changes, those files > are not released in the tarballs) > > Is it possible that dpkg-buildpackage is incorrectly regenerating the > tarball, or does squeeze possibly have a modified 3.1.7.orig tarball? > > I PGP sign the upstream release announcements, so it should be easy to > verify. > http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg05533.html > http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg06329.html This is how I checked the above: wget http://cdn.debian.net/debian/pool/main/g/ganglia/ganglia_3.1.7.orig.tar.gz >From [2] there is link to source tarball: [2] http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg06329.html fetch the ganglia-3.1.8.tar.gz and checksum with sha224sum; and compared the two source trees. (A lot can be excluded, right, as is autogenerated stuff). Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
