Helge Kreutzmann wrote:
> Package: kdelibs3
> Version: 4:2.2.2-13.woody.12
> Severity: normal
>
> I just wanted to apply the latest security update for kdelibs (DSA 631-1),
> I was quite astonished, when I got
> The following NEW packages will be installed:
> libarts libglib2.0-0
>
> I was under the impression, that security updates should only change
> the minimum possible. DSA 631-1 I did not list any notice regarding new
> dependencies.
>
> I compared the dependencies of -13.woody.12 (Installed as of this writing)
> and -13.woody.13 which is supposed to be the security update. I see, that
> two new dependencies have been added:
> libarts (>= 4:2.2.2-1) | libarts-alsa (>= 4:2.2.2-1)
> libglib2.0-0 (>= 2.0.1)
>
> If these are indeed security-related changes, than they should be mentioned
> in the DSA.
>
> I downloaded the deb next and looked at the changelog. It states:
> * Non-maintainer upload by the Security Team
> * Applied upstream patch to fix arbitrary FTP command execution
> [kio/ftp/ftp.cc, CAN-2004-1165]
>
> Again, no mentioning of changed dependencies. I now really start to wonder
> what has happened.
Broken build dependency/conflict definition.
I don't know what has introduced this dependency. However, since at least
libarts* are also in the suggests field, it shouldn't pose a problem.
libarts was installed on the i386 build system. Maybe that's how the
dependency was introduced. It's not declared as a build-conflict, and
hence not removed before the build.
Regards,
Joey
PS: Please use X-Debbugs-Cc next time so I don't have to dig out the bugnr
on my own.
--
The only stupid question is the unasked one.
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
