Your message dated Wed, 12 Apr 2017 22:10:19 +0200
with message-id <20170412201017.ga2...@ugent.be>
and subject line Re: Bug#857752: unblock: apt-cacher-ng/3-1
has caused the Debian Bug report #857752,
regarding unblock: apt-cacher-ng/3-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
857752: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857752
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Hello,
I would like to create a new upstream version and soon a Debian revision of
apt-cacher-ng, with a short cycle through experimental to make sure not to run
into any platform build issues.
It fixes three nasty issues that some users might consider security
related bugs. Changelogs for upstream and debian attached below.
Particular commits to see at
https://anonscm.debian.org/cgit/apt-cacher-ng/apt-cacher-ng.git/log/?h=upstream%2Fsid
https://anonscm.debian.org/cgit/apt-cacher-ng/apt-cacher-ng.git/log/?h=debian%2Fexperimental
or in the attached diff file.
While not released yet, the work is basically finished. The only
remaining bug I intend to fix in addition is
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855618
but this will be done with care.
Although the changes might looks scarry, I have actually postponed all major
changes and kept only:
- update of volatile file (mirror database)
- security related improvements, including better SSL host checks
- also including alternative SSL host validation code which should allow proper
backports to Debian LTS and Ubuntu LTS
- and harmless/cosmetic changes like clang warning workarounds
I would like to hear your opinion ASAP. I can imagine to extract the most
critical changes to make an intermediate release but the result would be harder
to validate and maintain and I (although biased) would not like to throw those
changes away for a version which is supposed to stay around for a while.
apt-cacher-ng (3-1) UNRELEASED; urgency=medium
* New upstream version
+ fixes hidden space allocation issue (closes: #856635)
* Spanish translation update (by MatÃas A. Bellone, closes: #853105)
* Instructions on how to work around cron job execution and "special needs"
of some users to disable the admin page (closes: #855996)
--
apt-cacher-ng (3) THIS-IS-NOT-THE-END; urgency=medium
* NOTE: this release tackles multiple issues that might be considered
security related in certain environments.
* FIX: Making sure to truncate the file in case its download is aborted.
This is needed in order to avoid hidden filesystem space allocation
(Debian bug #856635). Also more delicate use of fallocate calls on Linux
due to the potentially syscall execution delay. By default, limit the
requested size to the first megabyte of a file.
* FIX: detection of incorrectly allocated files and automated trimming in
expiration run
* FIX: compilation with GCC7, also warning fixes with Clang4
* FIX: better checking of possibly invalid remote certificate configuration
in SSL client code
* FIX: added workaround code for OpenSSL certificate validation even with
ancient SSL versions like the one found in Ubuntu 14 LTS; borrowed from
libevent examples (originally from ssl-conservatory and cURL)
* FIX: no printing of requested file name in the 403 HTTP status line
* FIX: typo/wording in manual, iptables examples
* Database update
-- Eduard Bloch <bl...@debian.org> Tue, 14 Mar 2017 16:23:20 +0100
CMakeLists.txt | 123 +++++++++-----
COPYING | 62 ++++++-
ChangeLog | 23 +++
TODO | 26 +--
VERSION | 2 +-
client/CMakeLists.txt | 2 +-
conf/acng.conf.in | 14 +-
conf/deb_mirrors.gz | Bin 3697 -> 4095 bytes
conf/epel_mirrors | 45 +++--
conf/fedora_mirrors | 16 +-
conf/gentoo_mirrors.gz | Bin 2603 -> 2588 bytes
conf/sl_mirrors | 2 +
conf/ubuntu_mirrors | 57 +++++--
dbgen/sig-debian | 2 +-
dbgen/sig-fsnap | 2 +-
dbgen/sig-slsnap | 2 +-
dbgen/sig-ubuntu | 2 +-
debian/README.Debian | 23 +++
debian/apt-cacher-ng.cron.daily | 12 ++
debian/apt-cacher-ng.default | 10 +-
debian/changelog | 10 ++
debian/po/es.po | 33 ++--
doc/README | 4 +-
doc/apt-cacher-ng.pdf | 178 +++++++++----------
doc/html/secure.html | 4 +-
doc/src/README.but | 4 +-
fs/CMakeLists.txt | 34 ++--
fs/httpfs.cc | 4 +-
include/acfg.h | 7 +-
include/acsyscap.h.in | 1 +
include/conn.h | 14 +-
include/dlcon.h | 3 +-
include/expiration.h | 2 +
include/fileitem.h | 4 +-
include/job.h | 6 +-
include/meta.h | 8 +
oldssl-workaround/CMakeLists.txt | 9 +
oldssl-workaround/hostcheck.c | 217 ++++++++++++++++++++++++
oldssl-workaround/hostcheck.h | 30 ++++
oldssl-workaround/openssl_hostname_validation.c | 177 +++++++++++++++++++
oldssl-workaround/openssl_hostname_validation.h | 56 ++++++
source/CMakeLists.txt | 47 +----
source/acfg.cc | 6 +-
source/acfg_defaults.cc | 2 +
source/acngtool.cc | 2 +-
source/apt-cacher.cc | 2 +-
source/cacheman.cc | 26 ++-
source/cleaner.cc | 2 +-
source/conn.cc | 12 +-
source/conserver.cc | 12 +-
source/dlcon.cc | 10 +-
source/expiration.cc | 45 +++++
source/fileitem.cc | 153 +++++++++--------
source/job.cc | 65 ++-----
source/tcpconnect.cc | 91 +++++-----
55 files changed, 1202 insertions(+), 503 deletions(-)
Best regards,
Eduard.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Hi Eduard,
On Wed, Apr 12, 2017 at 09:39:53PM +0200, Eduard Bloch wrote:
> > The new version of apt-cacher-ng contains lots of changes which are
> > unsuitable
> > during the freeze, so we cannot unblock it. Sorry.
>
> I will not accept that explanation. Which changes do you mean? The raw
> file count? The actual line diffs (and were those reviewed by a C++
> expert?)
>
> The only effective (= compiled on Debian) changes are listed below, also
> attached as diff. Means: there are less than 200 new lines. And most of
> them are there to fix real security issues (#856635 and another one
> where there is no CVE yet) or the related fallout, or are GCC-7 fixes or
> trivial refactoring/cleanup.
If there are changes in the package which don't need to be there, please
remove them. All the unnecessary changes create extra work for the review,
which means it won't happen. Refactoring, cleanup, GCC-7 fixes are not
suitable for the freeze.
I'm closing this bug again, as the current version will not be unblocked. If
you prepare a new package, which only contains the necessary changes and no
unrelated ones, you can file a new request.
> And my judgement as upstream should count a bit here. And I consider
> only one of the points in the ChangeLog a "nice-to-have" feature,
> excluding it would mean starting to prepare a backport immediately.
That's not a reason to grant an unblock. Lots of upstreams have new
'nice-to-have' features, but the freeze is about changing as little as
possible.
Cheers,
Ivo
--- End Message ---
