On Thu, 2015-04-23 at 07:10 +0200, Guillem Jover wrote: > Hi! > > On Wed, 2015-04-22 at 01:53:16 +0100, Ben Hutchings wrote: > > I've prepared an update to dpkg in squeeze-lts to fix CVE-2015-0840. As > > it's a native package, I'd like to check some points with you: > > > - Would you rather I numbered it as 1.15.12 or 1.15.11+nmu1? > > I'm a bit uncomfortable both with doing volunteer work for the LTS > release, and getting an NMU for dpkg. But given that you've done the > heavy lifting of hunting the patches and backporting them, I'd be fine > with just merging them and releasing a tarball or a source package > (although I can as well build both i386 and amd64 binaries if needed).
I'd prefer if you merged and released the tarball, then I can do the rest. > If you still want to prepare it yourself, then as Holger said, please > use +deb6u1. > > > - Should I do anything with the tarball produced by 'make dist'? > > If going with the second option above, then > <https://wiki.debian.org/Teams/Dpkg/GitUsage> has some instructions > that apply to master, they do need some small tweaking for 1.15.x. > > Also AFAIR, due to a release accident the 1.15.x series where > autoreconfed from a wheezy system, so doing so from squeeze should > produce much noise (and it would be on the unsafe side). I noticed that and tried autoreconf'ing from wheezy. It still resulted in some changes in generated files, though none in the configure script aside from the package version. > > - Are you happy to pull from my git branch, or should I send one or > > multiple patches? > > Given that you've done the hunting and backporting I'd like your SOB > lines on all patches, alongside > [mail@domain:\n - Brief change description. ] markers for the patches > that required changes so proper credit is given in the commit message. OK, I've rebased and added that. All of the cherry-picks conflicted in debian/changelog, but I didn't bother to mention that. Aside from that they were mostly clean. I also dropped the 'release' commit so you'll need to finalise the changelog as you see fit. Ben. > > git repository: > > http://git.decadent.org.uk/gitweb?p=dpkg.git;a=summary > > http://git.decadent.org.uk/git/dpkg.git > > I've only skimmed over these, but they look like the patches that > should be picked up. I can review them out properly while merging. > > Thanks, > Guillem > > -- Ben Hutchings I'm not a reverse psychological virus. Please don't copy me into your sig.
signature.asc
Description: This is a digitally signed message part
