On Sat, Nov 16, 2019 at 08:57:00AM +0000, Holger Levsen wrote: > Hi Roberto, > > On Fri, Nov 15, 2019 at 08:34:52PM -0500, Roberto C. Sánchez wrote: > > I am hesitant to file the bugs with the SRMs and to do the jessie > > upload. I merged the 2019.11.15 tag into the jessie and stretch > > branches. I also created a new buster branch from that tag. > > cool! > > for jessie, there's no need to go via SRM, *we* are maintaining jessie > now. > I understand that. My wording above was awkward, but it was intended to make a distinction that I could just go ahead with the jessie upload at any point.
> for stretch (and buster) I'm pondering whether we should do another > upload to unstable first, as I did a commit yesterday marking chromium > as unsupported in stretch. so I've come to conclude that I'll upload > this right away (it will just delay buster migration by a day) as this > change is pretty good to have for stretch. > Oh, OK. Please go ahead. > > The buster update goes from 2019.06.13..2019.11.15_deb10u1, the stretch > > update from debian/2019.02.01_deb9u1..2019.11.15_deb9u1 and the jessie > > update from debian/2019.02.01_deb8u1..2019.11.15_deb8u1. The git diffs > > look sane. However, after building each of the packages and checking > > the debdiffs (against source packages downloaded with debsnap), the > > stretch and jessie packages I built seem to be inducing many more > > changes than those revealed by git diff. > > so debsnap is buggy? > I think it just reflects that the packages which were uploaded differ from the corresponding tags in the repository. It was unexpected and confused the path forward for me. > and anyway, do we need branches at all? can't you just do commit based > on master with a d/changelog entry and then save this as a tag, but not > as a branch? > Given the way that debian-security-support works, that sounds like a good approach. I used the branches because there were there and appeared to have been in recent use. > > Before I go ahead with pushing changes to salsa, uploading to jessie, > > releasing a DLA, and filing bugs requesting approval to upload to buster > > and stretch, I'd like to make sure that I have gone about all of this in > > the right way. > > Good! :) > > > What is the best way to facilitate this? Should I fork > > debian-security-support and push my proposed changes there for you to > > review? > > if want, you can surely do this. Even without forking, just create a > branch el_cubano/WIP or some such and I can review that. > > > Should I post source packages and debdiffs for review? Let me > > know how I should proceed. > > or that. I'm happy to review basically anything what I can review easily. > Since it sounds like you have another updated past mine, would you be willing to take over from here? It seems like my use of the branches would create opportunity for future complications which could be avoided by the single commit/tag-based approach you propose. The uncertainty that I have surrounding this process makes me think it should be documented. I'll make an attempt at documenting the process on the wiki and then perhaps you can review it for accuracy. I have attached my draft DLA text so that you can add the chromium bit to it. Also, feel free to edit my draft text for clarity, consistency, etc. Regards, -Roberto -- Roberto C. Sánchez
From: Roberto C. Sánchez <robe...@debian.org> To: debian-lts-annou...@lists.debian.org Subject: [SECURITY] [DLA XXXX-1] debian-security-support libqb and mysql-5.5 end of life Package : debian-security-support Version : 2019.11.15~deb8u1 debian-security-support, the Debian security support coverage checker, has been updated in jessie. This marks the end of life of the libqb package in jessie. A recently reported vulnerability against libqb which allows users to overwrite arbitrary files via a symlink attack cannot be adequately addressed in libqb in jessie. Upstream no longer supports this version and no packages in jessie depend upon libqb. We recommend that if your systems or applications depend upon the libqb package provided from the Debian archive that you upgrade your systems to a more recent Debian release or find an alternate and up to date source of libqb packages. Additionally, MySQL 5.5 is no longer supported. Upstream has ended its support and we are unable to backport fixes from newer versions due to the lack of patch details. Options are to switch to MariaDB 10.0 in jessie or to a newer version of MySQL in more recent Debian releases. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS