Your message dated Thu, 08 Dec 2022 02:38:28 +0000
with message-id <[email protected]>
and subject line Bug#1023804: fixed in git-remote-hg 1.0.4~ds-1
has caused the Debian Bug report #1023804,
regarding git-remote-hg: autopkgtest needs update for new version of git:
transport 'file' not allowed
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1023804: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023804
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: git-remote-hg
Version: 1.0.3.2~ds-2
Severity: serious
X-Debbugs-CC: [email protected]
Tags: sid bookworm
User: [email protected]
Usertags: needs-update
Control: affects -1 src:git
Dear maintainer(s),
With a recent upload of git the autopkgtest of git-remote-hg fails in
testing when that autopkgtest is run with the binary packages of git
from unstable. It passes when run with only packages from testing. In
tabular form:
pass fail
git from testing 1:2.38.1-1
git-remote-hg from testing 1.0.3.2~ds-2
all others from testing from testing
I copied some of the output at the bottom of this report. This is due to """
* Addresses the security issue CVE-2022-39253: cloning an
attacker-controlled local repository could store arbitrary files
in the ".git" directory of the destination repository.
"""
This has a nice write up:
https://vielmetti.typepad.com/logbook/2022/10/git-security-fixes-lead-to-fatal-transport-file-not-allowed-error-in-ci-systems-cve-2022-39253.html
Currently this regression is blocking the migration of git to testing
[1]. Of course, git shouldn't just break your autopkgtest (or even
worse, your package), but it seems to me that the change in git was
intended and your package needs to update to the new situation.
If this is a real problem in your package (and not only in your
autopkgtest), the right binary package(s) from git should really add a
versioned Breaks on the unfixed version of (one of your) package(s).
Note: the Breaks is nice even if the issue is only in the autopkgtest as
it helps the migration software to figure out the right versions to
combine in the tests.
More information about this bug and the reason for filing it can be found on
https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation
Paul
[1] https://qa.debian.org/excuses.php?package=git
https://ci.debian.net/data/autopkgtest/testing/amd64/g/git-remote-hg/28079228/log.gz
Initialized empty Git repository in
/tmp/autopkgtest-lxc.4ir0bv3l/downtmp/build.jzc/src/test/trash
directory.main-push/tmp/sub/.git/
[master (root-commit) be983cd] init
Author: A U Thor <[email protected]>
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 empty
Initialized empty Git repository in
/tmp/autopkgtest-lxc.4ir0bv3l/downtmp/build.jzc/src/test/trash
directory.main-push/tmp/gitrepo/.git/
Cloning into
'/tmp/autopkgtest-lxc.4ir0bv3l/downtmp/build.jzc/src/test/trash
directory.main-push/tmp/gitrepo/sub'...
fatal: transport 'file' not allowed
fatal: clone of
'/tmp/autopkgtest-lxc.4ir0bv3l/downtmp/build.jzc/src/test/trash
directory.main-push/tmp/sub' into submodule path
'/tmp/autopkgtest-lxc.4ir0bv3l/downtmp/build.jzc/src/test/trash
directory.main-push/tmp/gitrepo/sub' failed
not ok 52 - push with submodule
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: git-remote-hg
Source-Version: 1.0.4~ds-1
Done: Paul Wise <[email protected]>
We believe that the bug you reported is fixed in the latest version of
git-remote-hg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Wise <[email protected]> (supplier of updated git-remote-hg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 08 Dec 2022 10:00:03 +0800
Source: git-remote-hg
Architecture: source
Version: 1.0.4~ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <[email protected]>
Changed-By: Paul Wise <[email protected]>
Closes: 1023804
Changes:
git-remote-hg (1.0.4~ds-1) unstable; urgency=medium
.
* QA upload.
* New upstream release.
- Drop patches merged upstream
- Fixes test failure with git security update (Closes: #1023804)
* Update standards version to 4.6.1, no changes needed.
Checksums-Sha1:
2af2e9de1b4ef6a785fcff86011eb017f110be87 2099 git-remote-hg_1.0.4~ds-1.dsc
b2493b665ba8831b2c3206213e179a0996c61ec2 51200
git-remote-hg_1.0.4~ds.orig.tar.xz
c13dc3b40d3bd26bb97a51754236acfe5b86defc 5832
git-remote-hg_1.0.4~ds-1.debian.tar.xz
Checksums-Sha256:
f01b60435e0b056525689a9e323db766ebb675cbdf72ba22264935bdf6d3fc97 2099
git-remote-hg_1.0.4~ds-1.dsc
bd9b0941738a1fbb52c79d33acb64fd21007618c5897b8a46fb544b43b945be8 51200
git-remote-hg_1.0.4~ds.orig.tar.xz
0f073b71b012814912c88e956beb5cde05a9a89d26ae4487d54648fc3750a018 5832
git-remote-hg_1.0.4~ds-1.debian.tar.xz
Files:
e2984c01f04ea53eeb3d222a885d88a7 2099 vcs optional git-remote-hg_1.0.4~ds-1.dsc
4ca99192234044a51150433e428f4b6a 51200 vcs optional
git-remote-hg_1.0.4~ds.orig.tar.xz
fed78c86ab45d7080ec516b9c38f073e 5832 vcs optional
git-remote-hg_1.0.4~ds-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEYQsotVz8/kXqG1Y7MRa6Xp/6aaMFAmORSUUACgkQMRa6Xp/6
aaNXvhAAqmDgEO5tZvNNOqYhTGU23b9iGpiktioGlBkpMxCRU72NWSU8MMJwSGGW
BadFlbdcaMgCFkN+9GKg58NUV0m7GQ8+KRz7+q0ktVwJN4fg5SjH9Mo9ayiN/Trm
VYWAKqrKSbhZLdw0JqF5+qLkiE3mMpUwo1uURzgbX/QZKiiL5iWA+rhFIT/yvts4
emRiXlx7/9uIRql18luvYXxchT4zKk96m/kla6U+TFUwCHb3nfGQJrcbkNSLC+JL
a8Hr1yr/HNcpEsM1EDp8Y1beAt/v9hPLTg/QACwlzb6wigKKZxUxZxBZ3mFNSdWS
Km8lMdnsSy3ftOZRxeydvgaDxUBhkE2KbrokzvfoHlzJV/ZnO6xSwT/14mFXMgez
JeE1BRh3A8TQTYV9o6Uryxtkc3aKUS8U/ShVfX9VAN0BILlKBzoxYGjkb70mMKnm
LUsfQJG4BYZyZJmxoaS4akuwW7HJv3OREW4aYknIaozjDdeuqQzNW93v0oOGGvie
c3/qQnouL/T+dUgkm3sT31mRWcj2D2q/MDjLxgKqAhuTBOspBWh1MrcX+DCbOcJb
Hjk4N4Ub+G5x8NdBh9uz4lN9qd/yd/3cs6l6TyOhzyOPQ9yIzrRdpU5ypXBHRaRW
ACohUcskZx1aQc8cje9HeMOA8q+UeyH+MeL4xHhzP+6ab6x1MPU=
=vqqC
-----END PGP SIGNATURE-----
--- End Message ---
