Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security
On Thu, Apr 04, 2024 at 11:21:21AM +0200, Emilio Pozuelo Monfort wrote: > On 29/03/2024 00:06, Adrian Bunk wrote: >... > > As already mentioned in #1060407, the ghwdump tool (and manpage) was > > dropped in 3.3.110 from the upstream sources, and is now in ghdl-tools. > > For bullseye and buster it is therefore readded. > > > > As mentioned in #1060407 there are different tarballs for GTK 2 and GTK 3. > > Looking closer I realized that this is actually one tarball that > > supports GTK 1+2, and one tarball that supports GTK 2+3. > > I did stay at the GTK 1+2 tarball that was already used before > > for bullseye and buster since there was anyway a different upstream > > tarball required for the +really version that is required to avoid > > creating file conflicts with ghwdump when upgrading to bookworm. > > > > What does the security team consider the best versioning for bullseye? > > In #1060407 I suggested 3.3.104+really3.3.118-0.1, but now I ended up > > preferring 3.3.104+really3.3.118-0+deb11u1 > > I saw this earlier but I couldn't think of a better versioning scheme, > though this looked awkward. Now I have thought of a (possibly) better one, > so I'm stating it here in case we find ourselves in a similar situation in > the future and someone remembers this thread. > > I would have gone with > > 3.3.118-0.1~deb12u1 > 3.3.118+gtk2-0+deb11u1 > 3.3.118+gtk2-0+deb10u1 Rather 3.3.118~gtk2, since 3.3.118+gtk2 > 3.3.118 And as described above, +really is required due to ghwdump: Package: ghdl-tools Replaces: gtkwave (<< 3.3.110~) Breaks: gtkwave (<< 3.3.110~) Since I am readding ghwdump, the version has to be << 3.3.110~ > Cheers, > Emilio cu Adrian
Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security
On 29/03/2024 00:06, Adrian Bunk wrote: Hi, attached are proposed debdiffs for updating gtkwave to 3.3.118 in {bookworm,bullseye,buster}-security for review for a DSA (and as preview for buster). General notes: As suggested by the security team in #1060407, this is a backport of a new upstream version to fix the 82 CVEs. I checked a handful CVEs, and they were also present in buster. If anyone insists that I check for every single CVE whether it is also in buster I can do that, but that would be a lot of work. As already mentioned in #1060407, the ghwdump tool (and manpage) was dropped in 3.3.110 from the upstream sources, and is now in ghdl-tools. For bullseye and buster it is therefore readded. As mentioned in #1060407 there are different tarballs for GTK 2 and GTK 3. Looking closer I realized that this is actually one tarball that supports GTK 1+2, and one tarball that supports GTK 2+3. I did stay at the GTK 1+2 tarball that was already used before for bullseye and buster since there was anyway a different upstream tarball required for the +really version that is required to avoid creating file conflicts with ghwdump when upgrading to bookworm. What does the security team consider the best versioning for bullseye? In #1060407 I suggested 3.3.104+really3.3.118-0.1, but now I ended up preferring 3.3.104+really3.3.118-0+deb11u1 I saw this earlier but I couldn't think of a better versioning scheme, though this looked awkward. Now I have thought of a (possibly) better one, so I'm stating it here in case we find ourselves in a similar situation in the future and someone remembers this thread. I would have gone with 3.3.118-0.1~deb12u1 3.3.118+gtk2-0+deb11u1 3.3.118+gtk2-0+deb10u1 Similar to how we do +dfsg or +repack. The +really is usually used for going back without adding an epoch, but here we're going forward, so perhaps such a naming would have made more sense. It also makes it clearer why there's a different tarball. Cheers, Emilio
Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security
Hi Adrian, > >... > > > debdiffs contain only changes to debian/ > > > > The bookworm/bullseye debdiffs looks good, please upload to > > security-master, thanks! > > both are now uploaded. DSA has been released, thanks! > > Note that both need -sa, but dak needs some special attention when > > uploading to security-master. You'll need to wait for the ACCEPTED mail > > before you can upload the next one. > > Done, but I am not sure this was necessary in this case since these are > different upstream tarballs gtkwave_3.3.118.orig.tar.gz and > gtkwave_3.3.104+really3.3.118.orig.tar.gz > > (The contents also differs since as mentioned one is the GTK 2+3 > upstream tarball and the other one is the GTK 1+2 upstream tarball.) You're correct indeed. Cheers, Moritz
Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security
On Sun, Mar 31, 2024 at 01:52:40PM +0200, Moritz Mühlenhoff wrote: > Hi Adrian, Hi Moritz, >... > > debdiffs contain only changes to debian/ > > The bookworm/bullseye debdiffs looks good, please upload to security-master, > thanks! both are now uploaded. > Note that both need -sa, but dak needs some special attention when > uploading to security-master. You'll need to wait for the ACCEPTED mail > before you can upload the next one. Done, but I am not sure this was necessary in this case since these are different upstream tarballs gtkwave_3.3.118.orig.tar.gz and gtkwave_3.3.104+really3.3.118.orig.tar.gz (The contents also differs since as mentioned one is the GTK 2+3 upstream tarball and the other one is the GTK 1+2 upstream tarball.) > Cheers, > Moritz cu Adrian
Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security
Hi Adrian, > attached are proposed debdiffs for updating gtkwave to 3.3.118 in > {bookworm,bullseye,buster}-security for review for a DSA > (and as preview for buster). Thanks! > General notes: > > I checked a handful CVEs, and they were also present in buster. > If anyone insists that I check for every single CVE whether it is also > in buster I can do that, but that would be a lot of work. Nah, no need. > As mentioned in #1060407 there are different tarballs for GTK 2 and GTK 3. > Looking closer I realized that this is actually one tarball that > supports GTK 1+2, and one tarball that supports GTK 2+3. > I did stay at the GTK 1+2 tarball that was already used before > for bullseye and buster since there was anyway a different upstream > tarball required for the +really version that is required to avoid > creating file conflicts with ghwdump when upgrading to bookworm. > > What does the security team consider the best versioning for bullseye? > In #1060407 I suggested 3.3.104+really3.3.118-0.1, but now I ended up > preferring 3.3.104+really3.3.118-0+deb11u1 That's fine. > debdiffs contain only changes to debian/ The bookworm/bullseye debdiffs looks good, please upload to security-master, thanks! Note that both need -sa, but dak needs some special attention when uploading to security-master. You'll need to wait for the ACCEPTED mail before you can upload the next one. Cheers, Moritz