On Wed, Mar 13, 2024 at 01:50:47PM -0400, Jeremy BĂcha wrote: > The 3 test cases pass for me now with the uploaded 1.50+nmu2. Maybe my > earlier test build used the old version of xz-utils. Thank you for > your upload!
Given what has unfolded over the past few days regarding xz-utils and CVE-2024-3094 [0], should we revisit the patches applied here and for #1063252? Are they still needed? I'm not making any assertions about the validity of the changes, only suggesting that we should review changes made to accommodate the xz-utils versions related to the CVE. (It is still not clear why some gbp workflows using pristine-tar started failing [1] around the same time that changes were being introduced to xz-utils and pristine-tar. Perhaps it is a coicidence, but it seems potentially related.) Thank you, tony [0] https://security-tracker.debian.org/tracker/CVE-2024-3094 [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065445
signature.asc
Description: PGP signature