Hi, On Mon, 28 Nov 2016, Roberto C. Sánchez wrote: > Quite right: > http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u7_6.7.7.10-5+deb7u8.diff
Somme comments: - since we have no git history, it's nice to indicate in each patch what CVE it fixes (I like to name the patch according to the CVE it fixes too) here, I have to lookup the upstream ticket or commit to find out and in many cases, it's no longer possible since the patch refers to a trac.imagemagick.org URL which no longer exists and/or the commit does not have the CVE number :( - in some cases, you have used anonscm.debian.org URL as reference for a patch like this one: https://anonscm.debian.org/cgit/collab-maint/imagemagick.git/patch/?id=33b2d377b94eb738011bc7d5e90ca0a16ce4d471 You should really strive to use a reference in the upstream repository because that's what everybody should use. That's all I can say because I can't realistically review the content of all patches. > I suppose I should have been more clear in my request. The built > packages are there (retrievable by the .changes file I linked in my > original message). A very small number of the Debian bugs had files > that could be used to produce buggy insecure behavior, but I was hoping > that there would be something more comprehensive to check for > regressions. However, the unit tests themselves appear (at least to me) > to provide excellent coverage, so they may be sufficient. In any event, > I have exhausted my available time for the month, so if anyone out there > (especially heavy users of imagemagick, as I am not personally a > particularly heavy user of imagemagick) could test these packages, then > that would be excellent. I did install your packages in my test VM and did a bunch of tests (with convert, display and with tools linking against various libmagick* including psftools, inkscape), and I have not found any issue. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
