Your message dated Fri, 10 May 2024 19:20:56 +0000
with message-id <[email protected]>
and subject line Bug#1069597: fixed in gnulib
20240412~dfb7117+stable202401.20240408~aa0aa87-3
has caused the Debian Bug report #1069597,
regarding gnulib: describe a security patch mechanism
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1069597: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069597
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnulib
Severity: wishlist
I don't know how to implement this, so I'll describe it pending for
inspiration or someone else to come along who wants to work on this.
Let's say we are in a situation were Debian packages Build-Depends on
the gnulib package as the source for gnulib related source code. I've
implemented this for libntlm [1], but it could be done for any package
that uses gnulib. That approach would reduce the need to audit vendored
gnulib code from upstream tarballs. Most packages today (e.g.,
coreutils, tar, gzip inetutils) just vendor all gnulib files into to the
tarball. So this wishlist is more relevant in a future reality where
Build-Depends on gnulib is a more widespread solution.
If there is a security bug in gnulib code, it would make sense to
manually patch that the gnulib package, and then automatically rebuild
all the dependent packages to get the fix released. Rather than
manually patch all packages that has vendored gnulib code in them and
release those.
The GNULIB_REVISION or --gnulib-refdir mechanism used by gnulib does not
support this way of working: the git commit to use comes from the
package (e.g., libntlm) via GNULIB_REVISION in bootstrap.conf or through
a git submodule that pins the gnulib commit. So patching code in the
Debian gnulib package doesn't alter the code that's in the gnulib git
commit tree used.
Some mechanism that let packages pin the gnulib git commit to use AND
then let the Debian gnulib package be able to patch the resulting gnulib
code seems to be needed.
Possibly we can implement rules via the new
/usr/share/gnulib/gnulibvars.mk dpkg makefile snippet. Then all
packages that rely on gnulib would have to include that and invoke the
hook, in order to allow the gnulib Debian package to provide a patched
gnulib source code, before the package is building it.
/Simon
[1]
https://blog.josefsson.org/2024/04/13/reproducible-and-minimal-source-only-tarballs/
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: gnulib
Source-Version: 20240412~dfb7117+stable202401.20240408~aa0aa87-3
Done: Simon Josefsson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gnulib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Josefsson <[email protected]> (supplier of updated gnulib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 10 May 2024 20:45:07 +0200
Source: gnulib
Architecture: source
Version: 20240412~dfb7117+stable202401.20240408~aa0aa87-3
Distribution: unstable
Urgency: medium
Maintainer: Simon Josefsson <[email protected]>
Changed-By: Simon Josefsson <[email protected]>
Closes: 1069597
Changes:
gnulib (20240412~dfb7117+stable202401.20240408~aa0aa87-3) unstable;
urgency=medium
.
* Add dh_gnulib_patch and rework dh integration. Closes: #1069597.
Checksums-Sha1:
c6bdf5e6ce8e9f25088fa73565a9d5d89002b0a5 2171
gnulib_20240412~dfb7117+stable202401.20240408~aa0aa87-3.dsc
8bb01128d89d8f20dc3b2f4bf2dcaa5e8f5bf13e 335580
gnulib_20240412~dfb7117+stable202401.20240408~aa0aa87-3.debian.tar.xz
f16e5f19395096135ff8d60c7da3c0f7b5589e36 6739
gnulib_20240412~dfb7117+stable202401.20240408~aa0aa87-3_amd64.buildinfo
Checksums-Sha256:
10bdaf7e488c298e5e344e718eb531d48a44ed29cc0116b46e7b3261985f9d8e 2171
gnulib_20240412~dfb7117+stable202401.20240408~aa0aa87-3.dsc
3fa4cc4f275183bfc62f942c84082159e626b2d5edea069226abfb5832d34907 335580
gnulib_20240412~dfb7117+stable202401.20240408~aa0aa87-3.debian.tar.xz
af7245a2f9ae0e2e47e68fbbd289608798808cf5d0d861e1a1b2f8513eee897d 6739
gnulib_20240412~dfb7117+stable202401.20240408~aa0aa87-3_amd64.buildinfo
Files:
72a9989362765af0b16df2482885a1db 2171 devel optional
gnulib_20240412~dfb7117+stable202401.20240408~aa0aa87-3.dsc
2179b575c11e65ec247be875508878ed 335580 devel optional
gnulib_20240412~dfb7117+stable202401.20240408~aa0aa87-3.debian.tar.xz
2d81edc9919e63c551cd636447e9ad6a 6739 devel optional
gnulib_20240412~dfb7117+stable202401.20240408~aa0aa87-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iIoEARYIADIWIQSjzJyHC50xCrrUzy9RcisI/kdFogUCZj5uRxQcc2ltb25Aam9z
ZWZzc29uLm9yZwAKCRBRcisI/kdForrlAQDponjgCu23aYC1TCGnhzkYpG+v14bg
5WdddYUjzjG8uwD/Ws5mGdR+MYd1LtHyYnKzfkNvidYXvLsOm/AlCoiqNQk=
=vFzb
-----END PGP SIGNATURE-----
pgpVShnvZLayj.pgp
Description: PGP signature
--- End Message ---
