Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED

[Adam D. Barratt]

On Sun, 2014-11-23 at 21:03 +0100, Holger Levsen wrote:
> Hi Adam,
> 
> On Sonntag, 23. November 2014, Adam D. Barratt wrote:
> > On Sun, 2014-11-23 at 19:43 +0100, Holger Levsen wrote:
> > > oh, "btw": jessie has -2, sid -3, with changes unsuitable for wheezy and
> > > targeted at jessie. this needs an unblock request to let -3 migrate to
> > > jessie and have the binaries removed from sid first... anybody doing
> > > this?
> > 
> > It needs more than that; from the cruft-report:
> 
> that's the cruft report for which distro?

For unstable, to go with your "needs ... the binaries removed from sid".
Those are the things blocking ftp-master from semi-automagically
removing them.

Regards,

Adam



__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED

[Adam D. Barratt]

On Sun, 2014-11-23 at 19:43 +0100, Holger Levsen wrote:
> oh, "btw": jessie has -2, sid -3, with changes unsuitable for wheezy and 
> targeted at jessie. this needs an unblock request to let -3 migrate to jessie 
> and have the binaries removed from sid first... anybody doing this?

It needs more than that; from the cruft-report:

* package libtomcat6-java in version 6.0.41-2 is no longer built from source
[...]
  - broken Depends:
tomcat-maven-plugin: libtomcat-maven-plugin-java
[...]
* package tomcat6 in version 6.0.41-2 is no longer built from source
[...]
  - broken Depends:
biomaj-watcher/contrib: biomaj-watcher
guacamole-client: guacamole-tomcat
jspwiki/contrib: jspwiki
  - broken Build-Depends:
jspwiki/contrib: tomcat6

* package tomcat6-common in version 6.0.41-2 is no longer built from source
[...
  - broken Build-Depends:
tomcat-maven-plugin: tomcat6-common

Regards,

Adam



__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED

[Mark Hymers]

On Sun, 23, Nov, 2014 at 10:29:59AM +0100, Holger Levsen spoke thus..
 Hi,
 
 On Sonntag, 23. November 2014, Debian FTP Masters wrote:
  Version check failed:
  Your upload included the source package tomcat6, version 6.0.41-2+squeeze5,
  however stable already has version 6.0.35-6+deb7u1.
  Uploads to squeeze-lts must have a lower version than present in stable.
 
 so this is due to the changes to dak implemented by Mark Hymers during the 
 MiniDebConf in Cambridge early November. (Mark can you please explain what 
 other changes (relevant to LTS) you did?!

So, basically, for those following along, Holger asked me to make sure
that squeeze LTS couldn't end up ahead of stable (wheezy).  I therefore
added the following version constraints:

mhy@franck:~$ dak admin v-c list-suite squeeze-lts
squeeze-lts MustBeNewerThan oldstable
squeeze-lts Enhances oldstable
squeeze-lts MustBeOlderThan stable
squeeze-lts MustBeOlderThan proposed-updates

This probably means that in some cases (especially those involving new
upstream versions), stable security updates will need to hit p-u before
the LTS uploads happen.  If this is a problem, we should just revoke
those parts of the version constraints and leave only the oldstable
ones.

Thanks,

Mark

-- 
Mark Hymers mhy at debian dot org

Well, the thing about a black hole - it's main distinguishing feature - is
 it's black. And the thing about space, your basic space colour is black. So
 how are you supposed to see them?
 Holly, Red Dwarf Series III - Marooned

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED

[tony mancill]

On 11/23/2014 04:16 AM, Mark Hymers wrote:
 On Sun, 23, Nov, 2014 at 10:29:59AM +0100, Holger Levsen spoke thus..
 Hi,

 On Sonntag, 23. November 2014, Debian FTP Masters wrote:
 Version check failed:
 Your upload included the source package tomcat6, version 6.0.41-2+squeeze5,
 however stable already has version 6.0.35-6+deb7u1.
 Uploads to squeeze-lts must have a lower version than present in stable.

 so this is due to the changes to dak implemented by Mark Hymers during the 
 MiniDebConf in Cambridge early November. (Mark can you please explain what 
 other changes (relevant to LTS) you did?!
 
 So, basically, for those following along, Holger asked me to make sure
 that squeeze LTS couldn't end up ahead of stable (wheezy).  I therefore
 added the following version constraints:
 
 mhy@franck:~$ dak admin v-c list-suite squeeze-lts
 squeeze-lts MustBeNewerThan oldstable
 squeeze-lts Enhances oldstable
 squeeze-lts MustBeOlderThan stable
 squeeze-lts MustBeOlderThan proposed-updates
 
 This probably means that in some cases (especially those involving new
 upstream versions), stable security updates will need to hit p-u before
 the LTS uploads happen.  If this is a problem, we should just revoke
 those parts of the version constraints and leave only the oldstable
 ones.

Hi Holger,

Thank you for coordinating this effort.  I'm not aware of any reason why
the squeeze-lts packaging/version of tomcat6 wouldn't also be
appropriate for wheezy.

An updated tomcat-native package should also be part of the update;
building 1.1.31-1 from testing/unstable on wheezy fine.  (I just built
both of these, the squeeze-lts tomcat6 + tomcat-native 1.1.31-1 on a
wheezy chroot and ran them without any issue.)

The Java Team is cc:d on this thread.  Emmanuel has been in much closer
contact with tomcat6 since this effort started, so he may have some input.

Synopsis:  Updating tomcat6 for squeeze-lts put us in the awkward
position of having a newer tomcat in old-stable than in stable; Holger
is helping to get this resolved.  I am recommending that tomcat-native
1.1.31 accompany any updates to tomcat6 6.0.41.

Cheers,
tony



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED

[tony mancill]

On 11/23/2014 12:03 PM, Holger Levsen wrote:
 Hi Adam,
 
 On Sonntag, 23. November 2014, Adam D. Barratt wrote:
 On Sun, 2014-11-23 at 19:43 +0100, Holger Levsen wrote:
 oh, btw: jessie has -2, sid -3, with changes unsuitable for wheezy and
 targeted at jessie. this needs an unblock request to let -3 migrate to
 jessie and have the binaries removed from sid first... anybody doing
 this?

 It needs more than that; from the cruft-report:
 
 that's the cruft report for which distro?
 
 * package libtomcat6-java in version 6.0.41-2 is no longer built from
 source [...]
   - broken Depends:
 tomcat-maven-plugin: libtomcat-maven-plugin-java
 
 both are in wheezy
 
 * package tomcat6 in version 6.0.41-2 is no longer built from source
 [...]
   - broken Depends:
 biomaj-watcher/contrib: biomaj-watcher
 guacamole-client: guacamole-tomcat
 
 both are in wheezy
 
 jspwiki/contrib: jspwiki
 
 jspwiki I can only find in unstable...
 
   - broken Build-Depends:
 jspwiki/contrib: tomcat6
 
  
 * package tomcat6-common in version 6.0.41-2 is no longer built from source
 [...
   - broken Build-Depends:
 tomcat-maven-plugin: tomcat6-common
 
 see above, in wheezy
 
 /me cannot believe adsb might have done a mistake - have we been hacked? ;-)

The cruft report for unstable will look *very* different due to 6.0.41-3
being a *radically* different package.

 tomcat6 (6.0.41-3) unstable; urgency=medium
 
   * Build only the libservlet2.5-java and libservlet2.5-java-doc packages.
 Tomcat 6 will not be supported in Jessie, but the Servlet API is still
 useful as a build dependency for other packages.
   * Standards-Version updated to 3.9.6 (no changes)
 
  -- Emmanuel Bourg ebo...@apache.org  Wed, 22 Oct 2014 09:48:54 +0200

The decision/requirement to remove tomcat6 from jessie has been
requested by the Security team for quite a while, and the 6.0.41-3
source upload effectively does this by just building libservlet2.5-java
(without which we would have many packages with missing r-deps).

I not sure I understand all of the ramifications of the statement I'm
about to make, but for the purposes of squeeze and wheezy, we need to
consider 6.0.41-2 as the last version of a complete tomcat6 source
package.

tony



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED

[tony mancill]

On 11/23/2014 01:16 PM, Holger Levsen wrote:
 Hi Tony,
 
 On Sonntag, 23. November 2014, tony mancill wrote:
 The cruft report for unstable will look *very* different due to 6.0.41-3
 being a *radically* different package.
 
 no, the report exactly looks like this *because* of this:
  
   * Build only the libservlet2.5-java and libservlet2.5-java-doc
   packages.
 [..]
 
 The decision/requirement to remove tomcat6 from jessie has been
 requested by the Security team for quite a while, and the 6.0.41-3
 source upload effectively does this by just building libservlet2.5-java
 (without which we would have many packages with missing r-deps).
 
 what's missing now is a bug against ftp.debian.org asking for the removal of 
 the binaries from sid, which are not build by the -3 anymore. 

RM/NBS bug filed, #770769.

 *then*, -3 can migrate to jessie and those binaries will vanish 
 automagically.
 
 and the stuff in the cruft report breaks because of this.
 
 I not sure I understand all of the ramifications of the statement I'm
 about to make, but for the purposes of squeeze and wheezy, we need to
 consider 6.0.41-2 as the last version of a complete tomcat6 source
 package.
 
 yup, I will base the wheezy upload on this.

Thank you!

tony



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED

[Emmanuel Bourg]

Le 23/11/2014 22:09, tony mancill a écrit :

 The decision/requirement to remove tomcat6 from jessie has been
 requested by the Security team for quite a while, and the 6.0.41-3
 source upload effectively does this by just building libservlet2.5-java
 (without which we would have many packages with missing r-deps).
 
 I not sure I understand all of the ramifications of the statement I'm
 about to make, but for the purposes of squeeze and wheezy, we need to
 consider 6.0.41-2 as the last version of a complete tomcat6 source
 package.

Would that help if we rename the source package in unstable/testing to
libservlet2.5-java?

Emmanuel Bourg


__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.