Hello folks, I've worked on ffmpeg to fix the CVEs in bullseye and prepared the upload this past weekend. I still need to push the changes to lts-team/packages/ffmpeg, but one thing needs solving before that. Currently, if one gbp clone the repo and download the orig tarball from the Debian archive, it's not possible to build from source. dpkg-source complains about unexpected changes in the source (I tested with sbuild and gbp buildpacke --git-builder=sbuild). Looking at the commit history, things seem very weird:
* ab11aa7496 (HEAD -> debian/bullseye, tag: debian/7%4.3.9-0+deb11u1, ) DLA
7:4.3.9-0+deb11u1
* abe8b709ef Merge tag 'upstream/4.3.9' into debian/bullseye
* 510b685fb2 (tag: debian/7%4.3.8-0+deb11u3) Import Debian changes
7:4.3.8-0+deb11u3
* 669100acac (tag: debian/7%4.3.8-0+deb11u2) Import Debian changes
7:4.3.8-0+deb11u2
|\
| * 2a5add219a (tag: upstream/4.3.8, origin/upstream) Import Upstream version
4.3.8
| * 27873c00e2 Import Upstream version 4.3.8
| * f44990f0bb Import Upstream version 4.3.8
| * 92bc1184a1 Import Upstream version 4.3.8
| * fb1d40307e Import Upstream version 4.3.8
| * d73b06f932 Import Upstream version 4.3.8
| * 986d5d6dae Import Upstream version 4.3.8
| * 42bf744f41 Import Upstream version 4.3.8
| * c4b3ef131d (tag: upstream/4.1.11) Import Upstream version 4.1.11
| * 4582c38aac (tag: upstream/3.2.19) New upstream version 3.2.19
| * bdde3cc254 (tag: upstream/4.1.10) Import Upstream version 4.1.10
| * 01242f962c (tag: upstream/3.2.18) New upstream version 3.2.18
| * 25209261b2 (tag: upstream/3.2.17) New upstream version 3.2.17
| * 23aefd3e4e (tag: upstream/3.2.16) New upstream version 3.2.16
| * 17a25d0b89 (tag: upstream/3.2.15) New upstream version 3.2.15
* d359857ddb (tag: debian/7%4.3.8-0+deb11u1) Release to bullseye
* 27629c17e4 Add CI pipeline for bullseye
* c846ebb84f Add patches for CVE-2024-31578 and CVE-2023-49502
* b8b975d0b6 New upstream release
* 2bac0b5447 Update upstream source from tag 'upstream/4.3.8'
|\
| * d2af485103 New upstream version 4.3.8
* | 2eca5fb979 Import Debian changes 7:4.3.7-0+deb11u1
|\|
| * 288752cf49 Import Upstream version 4.3.7
Generally speaking, I avoid force pushing by all means necessary,
specially if things just look weird in the history. The problem is that
one can't build from source from this git repo so I don't think there is
a point trying hard to keep the history, specially since they were just
gbp import-dsc after d359857ddb. So I did re-import the dscs from
snapshot.d.o under my own salsa namespace and worked there to prepare
the new bullseye release. Are we ok with force pushing this new history
there? Mind that only the commits after d359857ddb were changed. The new
tree looks like this:
* f89aa674 (HEAD -> debian/bullseye, origin/debian/bullseye) Update changelog
for 7:4.3.9-0+deb11u2 release
* 56822e3e d/p/CVE-2025-63757.patch: cherry-pick from upstream
* ebb6262e d/salsa-ci.yml: add (E)LTS pipeline for bullseye
* ebf6632d d/p/CVE-2025-10256.patch: backport from upstream
* e49dddaa d/p/fix-use-of-uninitialized-memory.patch: cherry-pick from upstream
* f8fd00a7 d/p/CVE-2025-9951-{1,2}.patch: cherry-pick from upstream
* ef810fa8 d/p/CVE-2025-7700.patch: backport from upstream
* f05f8f58 d/p/CVE-2025-1594.patch: cherry-pick from upstream
* dfe8140a d/p/CVE-2024-36615-2.patch: backport regression fix from upstream
* 9c10a040 d/p/CVE-2024-36615-1.patch: backport from upstream
* c5bf626b d/p/CVE-2023-6603.patch: cherry-pick from upstream
* ed5fddfa Import Debian changes 7:4.3.9-0+deb11u1
|\
| * d247ffd1 (tag: upstream/4.3.9, origin/upstream/bullseye) Import Upstream
version 4.3.9
* | 69d942c7 Import Debian changes 7:4.3.8-0+deb11u3
* | bc93ee60 Import Debian changes 7:4.3.8-0+deb11u2
* | d359857d Release to bullseye
* | 27629c17 Add CI pipeline for bullseye
* | c846ebb8 Add patches for CVE-2024-31578 and CVE-2023-49502
* | b8b975d0 New upstream release
* | 2bac0b54 Update upstream source from tag 'upstream/4.3.8'
|\|
| * d2af4851 New upstream version 4.3.8
* | 2eca5fb9 (tag: debian/7%4.3.7-0+deb11u1) Import Debian changes
7:4.3.7-0+deb11u1
|\|
| * 288752cf (tag: upstream/4.3.7) Import Upstream version 4.3.7
Cheers,
Charles
signature.asc
Description: PGP signature
