Re: [screen-devel] Current screen HEAD can't reattach to a detached screen 4.0.3

Fri, 18 Nov 2011 10:02:43 -0800 

Hi again,

For those who think "TL;DR", the commit for the 4.0.3 release is very
likely ee51fe58adee19357375b007e0e81e37317773b8. If you're interested
how I found that out, continue reading. :-)

On Thu, Nov 17, 2011 at 06:21:33PM +0100, Axel Beckert wrote:
> > The screen.git repo has no tags.  The experimental package has a commit SHA1
> > in its version string, which helps.  How do I find out exactly which commit
> > corresponds to "Screen version 4.00.03jw4 (FAU) 2-May-06" ?OB
> 
> Not sure. But as the source tar ball of screen 4.0.3 got uploaded in
> March 2007 [1], I'd start with a commit before that date.
> 
>   [1] http://packages.qa.debian.org/s/screen/news/20070305T083205Z.html

That's incorrect, I didn't scroll down far enough. It was even earlier
(at least before 2006-Nov-20 [2]), but the history in the Debian
package tracking system[3] doesn't go far enough. :-/

  [2] http://packages.qa.debian.org/s/screen/news/20061120T233915Z.html
  [3] http://packages.qa.debian.org/s/screen.html

According to the Debian changelog[3] it was on 2006-Oct-28. This is
backed up by some mail[4] contained in a bug (CVE-2006-4573) the first
upload of 4.0.3 to Debian fixes. The upload annoucement[5] is from
2006-Oct-27 or 28, depending on the timezone.

  [3] 
http://packages.debian.org/changelogs/pool/main/s/screen/current/changelog#version4.0.3-0.1
  [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=395225#5
  [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=395225#36

Screen's own src/ChangeLog unfortunately has a big gap between somewhen in
1993/1994 (version 3.5.1) and the entry for the upcoming 4.1.0. And
src/NEWS contains no dates.

The 4.0.3 files on http://ftp.gnu.org/gnu/screen/ are from 07-Aug-2008
and were also signed by Micah Cowan's key 4A1B4EB1 on that day. This
doesn't fit with the above dates.

There were just 3 commits in 2006 and 2 in 2007, but many in 2008.
None of the 2006/2007 commits mentions the UTF-8 related security
(CVE-2006-4573) issue with a 2006 CVE id mentioned in [4].

Via the secunia link in the Debian bug report[4] I found the release
annoucement for 4.0.3[6]. It's from 2006-Oct-23 and by Michael
Schroeder.

  [6] https://lists.gnu.org/archive/html/screen-users/2006-10/msg00028.html

So I'd start looking for the commit in 2006, more specifically with
the followin commit which happend just 1.5 hours (note the different
timezones) before the release announcement by someone with the
initials "MLS", very likely the same person who wrote the release
announcement.

  commit ee51fe58adee19357375b007e0e81e37317773b8
  Author: mls <mls>
  Date:   Mon Oct 23 15:49:44 2006 +0000

      first stab at vertical split

So I guess the 4.0.3 packages have reuploaded to Savannah in 2008 or
so. That would explain the date discrepancies on ftp.gnu.org.

And yeah, this mail grew with my findings. ;-)

                Kind regards, Axel
-- 
/~\  Plain Text Ribbon Campaign                   | Axel Beckert
\ /  Say No to HTML in E-Mail and News            | a...@deuxchevaux.org  (Mail)
 X   See http://www.asciiribbon.org/              | a...@noone.org (Mail+Jabber)
/ \  I love long mails: http://email.is-not-s.ms/ | http://noone.org/abe/ (Web)

Reply via email to