Hi there! Seems there's a little confusion regarding the "rar" and "unrar-nonfree" packages.
the "rar" package is basically packaged binaries for rar. This is the only way that rarlabs provides them - and should be considered the "source". This is at 5.5.b4 as far as I can see from the watch file (www.rarlab.com seems down for me currently?) The package that has source code (unrar-nonfree) is at version 5.5.5 on rarlabs, and is a seperate thing (only un-compresses things, whereas the "rar" package also compresses them) As rar is a binary only package, it's likely to cause issues as it'll be linked against newer libraries, and the libc link means it can't be redistributed as statically linked. unrar-nonfree should be easily backportable - it's just the "rar" version as it's binary only that might be problematic. I'm a little swamped under with work at the moment - so I'll see what I can do - but I can't promise when - so please, don't let that stop anyone who wishes to take this on - and I can try and give any info that might help to them (I believe both are LowNMU). For reference - https://qa.debian.org/cgi-bin/watch?pkg=rar https://qa.debian.org/cgi-bin/watch?pkg=unrar-nonfree On 22 June 2017 at 14:20, Raphael Hertzog <[email protected]> wrote: > Hello Martin, > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of unrar-nonfree: > https://security-tracker.debian.org/tracker/source-package/unrar-nonfree > > We know that the package is non-free and thus not generally part of what > Debian is supporting on stable releases but we have a fair number of LTS > sponsors using it and it would thus be nice to see it fixed in > wheezy-security and in jessie/stretch (through > jessie-proposed-updates/stretch-proposed-updates since the security team > is not supporting non-free packages). > > To avoid spending too much time on backporting fixes, we're open to > just pushing the latest upstream release in wheezy-security. > Unfortunately, the fix to this issue seems to be only in beta versions so > far and those beta version did not yet have any corresponding source code > release? Can your confirm this? > > On http://www.rarlab.com/rar_add.htm I only see version 5.5.5 with source > code (which is newer than what is unstable BTW)... while > http://www.rarlab.com/download.htm mentions version 5.50 beta 4. The > former is UnRAR while the latter is RAR but I somehow hope that they are > maintained in sync. If they are different, where can we see the changelog > in the UnRAR release? > > In any case, if you plan to handle the wheezy update, please follow the > workflow we have defined here: > https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to [email protected] > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. > > You can also opt-out from receiving future similar emails in your > answer and then the LTS Team will take care of unrar-nonfree updates > for the LTS releases. > > Thank you very much. > > Raphaël Hertzog, > on behalf of the Debian LTS team. > > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup > -- > Raphaël Hertzog ◈ Debian Developer > > Support Debian LTS: https://www.freexian.com/services/debian-lts.html > Learn to master Debian: https://debian-handbook.info/get/
