Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security
On Thu, Apr 04, 2024 at 11:21:21AM +0200, Emilio Pozuelo Monfort wrote: > On 29/03/2024 00:06, Adrian Bunk wrote: >... > > As already mentioned in #1060407, the ghwdump tool (and manpage) was > > dropped in 3.3.110 from the upstream sources, and is now in ghdl-tools. > > For bullseye and buster it is therefore readded. > > > > As mentioned in #1060407 there are different tarballs for GTK 2 and GTK 3. > > Looking closer I realized that this is actually one tarball that > > supports GTK 1+2, and one tarball that supports GTK 2+3. > > I did stay at the GTK 1+2 tarball that was already used before > > for bullseye and buster since there was anyway a different upstream > > tarball required for the +really version that is required to avoid > > creating file conflicts with ghwdump when upgrading to bookworm. > > > > What does the security team consider the best versioning for bullseye? > > In #1060407 I suggested 3.3.104+really3.3.118-0.1, but now I ended up > > preferring 3.3.104+really3.3.118-0+deb11u1 > > I saw this earlier but I couldn't think of a better versioning scheme, > though this looked awkward. Now I have thought of a (possibly) better one, > so I'm stating it here in case we find ourselves in a similar situation in > the future and someone remembers this thread. > > I would have gone with > > 3.3.118-0.1~deb12u1 > 3.3.118+gtk2-0+deb11u1 > 3.3.118+gtk2-0+deb10u1 Rather 3.3.118~gtk2, since 3.3.118+gtk2 > 3.3.118 And as described above, +really is required due to ghwdump: Package: ghdl-tools Replaces: gtkwave (<< 3.3.110~) Breaks: gtkwave (<< 3.3.110~) Since I am readding ghwdump, the version has to be << 3.3.110~ > Cheers, > Emilio cu Adrian
Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security
On 29/03/2024 00:06, Adrian Bunk wrote:
Hi,
attached are proposed debdiffs for updating gtkwave to 3.3.118 in
{bookworm,bullseye,buster}-security for review for a DSA
(and as preview for buster).
General notes:
As suggested by the security team in #1060407, this is a backport of a
new upstream version to fix the 82 CVEs.
I checked a handful CVEs, and they were also present in buster.
If anyone insists that I check for every single CVE whether it is also
in buster I can do that, but that would be a lot of work.
As already mentioned in #1060407, the ghwdump tool (and manpage) was
dropped in 3.3.110 from the upstream sources, and is now in ghdl-tools.
For bullseye and buster it is therefore readded.
As mentioned in #1060407 there are different tarballs for GTK 2 and GTK 3.
Looking closer I realized that this is actually one tarball that
supports GTK 1+2, and one tarball that supports GTK 2+3.
I did stay at the GTK 1+2 tarball that was already used before
for bullseye and buster since there was anyway a different upstream
tarball required for the +really version that is required to avoid
creating file conflicts with ghwdump when upgrading to bookworm.
What does the security team consider the best versioning for bullseye?
In #1060407 I suggested 3.3.104+really3.3.118-0.1, but now I ended up
preferring 3.3.104+really3.3.118-0+deb11u1
I saw this earlier but I couldn't think of a better versioning scheme, though
this looked awkward. Now I have thought of a (possibly) better one, so I'm
stating it here in case we find ourselves in a similar situation in the future
and someone remembers this thread.
I would have gone with
3.3.118-0.1~deb12u1
3.3.118+gtk2-0+deb11u1
3.3.118+gtk2-0+deb10u1
Similar to how we do +dfsg or +repack. The +really is usually used for going
back without adding an epoch, but here we're going forward, so perhaps such a
naming would have made more sense. It also makes it clearer why there's a
different tarball.
Cheers,
Emilio
Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security
Hi Adrian, > >... > > > debdiffs contain only changes to debian/ > > > > The bookworm/bullseye debdiffs looks good, please upload to > > security-master, thanks! > > both are now uploaded. DSA has been released, thanks! > > Note that both need -sa, but dak needs some special attention when > > uploading to security-master. You'll need to wait for the ACCEPTED mail > > before you can upload the next one. > > Done, but I am not sure this was necessary in this case since these are > different upstream tarballs gtkwave_3.3.118.orig.tar.gz and > gtkwave_3.3.104+really3.3.118.orig.tar.gz > > (The contents also differs since as mentioned one is the GTK 2+3 > upstream tarball and the other one is the GTK 1+2 upstream tarball.) You're correct indeed. Cheers, Moritz
Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security
On Sun, Mar 31, 2024 at 01:52:40PM +0200, Moritz Mühlenhoff wrote: > Hi Adrian, Hi Moritz, >... > > debdiffs contain only changes to debian/ > > The bookworm/bullseye debdiffs looks good, please upload to security-master, > thanks! both are now uploaded. > Note that both need -sa, but dak needs some special attention when > uploading to security-master. You'll need to wait for the ACCEPTED mail > before you can upload the next one. Done, but I am not sure this was necessary in this case since these are different upstream tarballs gtkwave_3.3.118.orig.tar.gz and gtkwave_3.3.104+really3.3.118.orig.tar.gz (The contents also differs since as mentioned one is the GTK 2+3 upstream tarball and the other one is the GTK 1+2 upstream tarball.) > Cheers, > Moritz cu Adrian
Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security
Hi Adrian,
> attached are proposed debdiffs for updating gtkwave to 3.3.118 in
> {bookworm,bullseye,buster}-security for review for a DSA
> (and as preview for buster).
Thanks!
> General notes:
>
> I checked a handful CVEs, and they were also present in buster.
> If anyone insists that I check for every single CVE whether it is also
> in buster I can do that, but that would be a lot of work.
Nah, no need.
> As mentioned in #1060407 there are different tarballs for GTK 2 and GTK 3.
> Looking closer I realized that this is actually one tarball that
> supports GTK 1+2, and one tarball that supports GTK 2+3.
> I did stay at the GTK 1+2 tarball that was already used before
> for bullseye and buster since there was anyway a different upstream
> tarball required for the +really version that is required to avoid
> creating file conflicts with ghwdump when upgrading to bookworm.
>
> What does the security team consider the best versioning for bullseye?
> In #1060407 I suggested 3.3.104+really3.3.118-0.1, but now I ended up
> preferring 3.3.104+really3.3.118-0+deb11u1
That's fine.
> debdiffs contain only changes to debian/
The bookworm/bullseye debdiffs looks good, please upload to security-master,
thanks!
Note that both need -sa, but dak needs some special attention when
uploading to security-master. You'll need to wait for the ACCEPTED mail
before you can upload the next one.
Cheers,
Moritz
