Bug#1108127: bookworm-pu: package debian-security-support/12+2025.06.20

Santiago Ruano Rincón Fri, 20 Jun 2025 14:35:40 -0700

Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:debian-security-support


Dear release team,

I'd like to propose a bookworm update for debian-security-support.

[ Reason ]
The are two changes: fixing #1106203, and a typo in a package name.
#1106203 makes that the purpose of check-security-support (the main
debian-security-support script) is null for packages that have been
NMU'ed or that have a different version between the source and binary
packages.  See some examples at
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/44#note_615156

[ Impact ]
The user will continue to no be warned that the concerned installed
packages don't benefit from a full security support from debian.

[ Tests ]
A test has been added to the package, that is run during build time.
I've tested the test on my own bookworm machine, and now I get results
like:

    * Source:golang-github-containers-buildah
      Details: See 
https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking
      Affected binary package:
      - buildah (installed version: 1.28.2+ds1-3+deb12u1+b1)

[ Risks ]
The code is trivial, and the tests have good coverage.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The main change is:

diff -Nru debian-security-support-12+2025.05.10/check-support-status.in 
debian-security-support-12+2025.06.20/check-support-status.in
--- debian-security-support-12+2025.05.10/check-support-status.in       
2025-05-10 09:43:50.000000000 -0300
+++ debian-security-support-12+2025.06.20/check-support-status.in       
2025-06-20 17:54:47.000000000 -0300
@@ -169,7 +169,7 @@
 # Get list of installed packages
 INSTALLED_LIST="$TEMPDIR/installed"

-LC_ALL=C [% DPKG_QUERY %] --show --showformat 
'${Status}\t${binary:Package}\t${Version}\t${Source}\n' |
+LC_ALL=C [% DPKG_QUERY %] --show --showformat 
'${Status}\t${binary:Package}\t${Version}\t${source:Package}\n' |
 [% AWK %] '($1=="install"){print}' |
 [% AWK %] -F'\t' '{if($4==""){print $2"\t"$3"\t"$2}else{print 
$2"\t"$3"\t"$4}}' >"$INSTALLED_LIST"

When the version of a binary package differs from the source package,
the old dpkg-query returns something like:

install ok installed    buildah 1.28.2+ds1-3+deb12u1+b1 
golang-github-containers-buildah (1.28.2+ds1-3+deb12u1)
                                                        
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
and the new one:

install ok installed    buildah 1.28.2+ds1-3+deb12u1+b1 
golang-github-containers-buildah
                                                        
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The remaining code compares the name of the source package with the
underlined (^) string, with grep -x, so the name didn't match.

Changes in t/check-support-status.t include a test for the above.

And there is a typo fix in security-support-limited s/gobgpd/gobgp/
since check-security-support checks for the name of the source package,
not the binary. I've verified that this works.

[ Other info ]
N/A

Thanks!

 -- Santiago

diff -Nru debian-security-support-12+2025.05.10/check-support-status.in 
debian-security-support-12+2025.06.20/check-support-status.in
--- debian-security-support-12+2025.05.10/check-support-status.in       
2025-05-10 09:43:50.000000000 -0300
+++ debian-security-support-12+2025.06.20/check-support-status.in       
2025-06-20 17:54:47.000000000 -0300
@@ -169,7 +169,7 @@
 # Get list of installed packages
 INSTALLED_LIST="$TEMPDIR/installed"
 
-LC_ALL=C [% DPKG_QUERY %] --show --showformat 
'${Status}\t${binary:Package}\t${Version}\t${Source}\n' |
+LC_ALL=C [% DPKG_QUERY %] --show --showformat 
'${Status}\t${binary:Package}\t${Version}\t${source:Package}\n' |
 [% AWK %] '($1=="install"){print}' |
 [% AWK %] -F'\t' '{if($4==""){print $2"\t"$3"\t"$2}else{print 
$2"\t"$3"\t"$4}}' >"$INSTALLED_LIST"
 
diff -Nru debian-security-support-12+2025.05.10/debian/changelog 
debian-security-support-12+2025.06.20/debian/changelog
--- debian-security-support-12+2025.05.10/debian/changelog      2025-05-10 
10:05:50.000000000 -0300
+++ debian-security-support-12+2025.06.20/debian/changelog      2025-06-20 
17:58:38.000000000 -0300
@@ -1,3 +1,11 @@
+debian-security-support (1:12+2025.06.20) bookworm; urgency=medium
+
+  * Query source:Package instead of Source to get the list of packages
+    (Closes: #1106203)
+  * Fix typo related to gobgp
+
+ -- Santiago Ruano Rincón <[email protected]>  Fri, 20 Jun 2025 17:58:38 
-0300
+
 debian-security-support (1:12+2025.05.10) bookworm; urgency=medium
 
   [ Salvatore Bonaccorso ]
diff -Nru debian-security-support-12+2025.05.10/security-support-limited 
debian-security-support-12+2025.06.20/security-support-limited
--- debian-security-support-12+2025.05.10/security-support-limited      
2025-05-10 09:54:22.000000000 -0300
+++ debian-security-support-12+2025.06.20/security-support-limited      
2025-06-20 17:54:47.000000000 -0300
@@ -12,7 +12,7 @@
 ganglia         See README.Debian.security, only supported behind an 
authenticated HTTP zone, #702775
 ganglia-web     See README.Debian.security, only supported behind an 
authenticated HTTP zone, #702776
 golang.*        See 
https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking
-gobgpd          See 
https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking
+gobgp           See 
https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking
 gnupg1          See #982258 and 
https://www.debian.org/releases/stretch/amd64/release-notes/ch-whats-new.en.html#modern-gnupg
 jython          Includes python2.7 stdlib, support limited until Py3 port, see 
#975058 and https://lists.debian.org/debian-lts/2024/08/msg00027.html
 kde4libs        khtml has no security support upstream, only for use on 
trusted content
diff -Nru debian-security-support-12+2025.05.10/t/check-support-status.t 
debian-security-support-12+2025.06.20/t/check-support-status.t
--- debian-security-support-12+2025.05.10/t/check-support-status.t      
2025-05-10 09:43:50.000000000 -0300
+++ debian-security-support-12+2025.06.20/t/check-support-status.t      
2025-06-20 17:54:47.000000000 -0300
@@ -213,6 +213,7 @@
 __EOS__
     write_file ($list_limited, <<__EOS__);
 php5    See README.Debian.security for the PHP security policy
+gobgp   binNMU'ed package from a statically linked ecosystem
 __EOS__
     mock_query_list (
         $query_list,
@@ -225,6 +226,7 @@
             [ 'ioi', 'supported-package', '1.0-1' ],
             [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ],
             [ 'ioi', 'libjs-marked', '0.3.2+dfsg-1', 'node-marked' ],
+            [ 'ioi', 'gobgpd', '3.10.0-1+b4', 'gobgp' ],
         ],
     );
 
@@ -253,6 +255,11 @@
   - libjs-marked (installed version: 0.3.2+dfsg-1)
 
 
+* Source:gobgp
+  Details: binNMU'ed package from a statically linked ecosystem
+  Affected binary package:
+  - gobgpd (installed version: 3.10.0-1+b4)
+
 * Source:php5
   Details: See README.Debian.security for the PHP security policy
   Affected binary package:
@@ -277,6 +284,7 @@
 debconf/1.5.36.1
 debconf-i18n/1.5.36.1
 libjs-marked/0.3.2+dfsg-1
+gobgpd/3.10.0-1+b4
 php5/5.3.3-7+squeeze19
 openjdk-6-jre/6b35-1.13.7-1~deb7u1
 __EOS__

signature.asc
Description: PGP signature

Bug#1108127: bookworm-pu: package debian-security-support/12+2025.06.20

Reply via email to