Bug#1054189: bullseye-pu: package debian-security-support/1:11+2023.10.17
hi! On Fri, Dec 29, 2023 at 03:23:55PM +, Jonathan Wiltshire wrote: > In the past this package has been released early via stable-updates; is > that your intention this time, or can it wait until the next point release > expected in February? after having spent a bit too much time thinking about this I've came to the conclusion that I think updates of d-s-s in stable and previous releases should a.) always come with an announcement and b.) always come ASAP, whatever that means in details. Does that make sense to you too? (for completeness: updates in unstable and testing should also be done ASAP and without announcements.) -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ »Sieh, dass du Mensch bleibst. Mensch sein ist von allem die Hauptsache. Und das heißt fest und klar und heiter sein, ja heiter, trotz alledem.« (Rosa Luxemburg) signature.asc Description: PGP signature
Bug#1054189: bullseye-pu: package debian-security-support/1:11+2023.10.17
On Fri, Dec 22, 2023 at 03:58:15PM +, Holger Levsen wrote: > On Thu, Dec 21, 2023 at 08:59:31PM +, Jonathan Wiltshire wrote: > > > I've updated this update request for adding 3 more lines to > > > security-support-ended.deb11 (and updating d/changelog) > > Please go ahead. > > thanks, uploaded. In the past this package has been released early via stable-updates; is that your intention this time, or can it wait until the next point release expected in February? Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1054189: bullseye-pu: package debian-security-support/1:11+2023.10.17
On Thu, Dec 21, 2023 at 08:59:31PM +, Jonathan Wiltshire wrote: > > I've updated this update request for adding 3 more lines to > > security-support-ended.deb11 (and updating d/changelog) > Please go ahead. thanks, uploaded. -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ First they ignore you, then they laugh at you, and then it's too late. Don't look up! signature.asc Description: PGP signature
Bug#1054189: bullseye-pu: package debian-security-support/1:11+2023.10.17
Control: tag -1 confirmed On Mon, Dec 11, 2023 at 04:30:08PM +, Holger Levsen wrote: > I've updated this update request for adding 3 more lines to > security-support-ended.deb11 (and updating d/changelog) Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1054189: bullseye-pu: package debian-security-support/1:11+2023.10.17
control: retitle -1 bullseye-pu: package debian-security-support/1:11+2023.12.11 thanks hi, I've updated this update request for adding 3 more lines to security-support-ended.deb11 (and updating d/changelog) On Wed, Oct 18, 2023 at 04:46:44PM -0300, Santiago Ruano Rincón wrote: > [ Reason ] > The reasons for this proposed update are: > * Fix two bugs already solved in bookworm (#986581 and #986333) > * Include samba in the list of packages with limited support (#1053109). > > Currently, because of #986581 and #986333, d-d-s's check-support-status > silently ignores "golang*" packages, so users don't get any warning > about their limited support status. now also to add these 3 lines to security-support-ended.deb11: tor 0.4.5.16-1 2023-11-22 https://lists.debian.org/debian-security-announce/2023/msg00258.html consul 1.8.7+dfsg1-2 2023-12-04 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057418 xen 4.14.5+94-ge49571868d-1 2023-09-30 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053246 > [ Impact ] > Bullseye users will continue to don't get any warning about the limited > support regarding the golang.* packages installed in their systems. > > As for the samba-related change, without the upload, users will lose a > change to get informed about its security support situation. > > [ Tests ] > The changes include tests to verify #986581 and #986333 have been fixed. > I have also manually verified on a bullseye container how the current > and the proposed packages behave, and I can confirm the issues are > fixed, and I didn't identify any regression. > > [ Risks ] > The relevant code has been included in bookworm since its release. They > were fully included in 1:12+2021.09.30: > https://tracker.debian.org/news/1263114/accepted-debian-security-support-11220210930-source-into-unstable/ > > The only difference in check-suppor-status.in between the proposed > update and bookworm is: > > git diff HEAD bookworm -- check-support-status.in > diff --git a/check-support-status.in b/check-support-status.in > index 3ebf5e9..86b080a 100755 > --- a/check-support-status.in > +++ b/check-support-status.in > @@ -13,7 +13,7 @@ VERSION='[% VERSION %]' > # Oldest Debian version included in debian-security-support > DEB_LOWEST_VER_ID=9 > # Version ID for next Debian stable > -DEB_NEXT_VER_ID=12 > +DEB_NEXT_VER_ID=13 > > if [ -z "$DEBIAN_VERSION" ] ; then > DEBIAN_VERSION="$(cat /etc/debian_version | grep '[0-9.]' | cut -d. -f1)" > > So the risk of regression is miminum. > > > Regarding the change of adding samba in the list of packages with > limited support. That doesn't represent any risk. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > > From d/changelog: the full new changelog is: debian-security-support (1:11+2023.12.11) UNRELEASED-bullseye; urgency=medium [ Santiago Ruano Rincón ] * Mark samba support limited to non-AD DC uses cases (Closes: #1053109) * Drop version-based check (Closes: #986581) and update test suite accordingly. Backport changes made by Sylvain Beucler. * Match ecosystems with limited support, test case updated. (Closes: #986333) Backport changes by Sylvain Beucler. * Use golang.* (as regex) instead of golang* in security-support-limited [ Salvatore Bonaccorso ] * Add tor to security-support-ended.deb11 Closes: #1056606. [ Moritz Muehlenhoff ] * Mark Consul as EOLed in Bullseye. Closes: #1057418. * Mark Xen as EOLed in Bullseye. Closes: #1053246. -- Santiago Ruano Rincón Tue, 17 Oct 2023 13:08:20 -0300 I haven't uploaded this yet but everything is ready in a git branch. Thanks! -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ Be careful when you follow the masses. Sometimes the "m" is silent. signature.asc Description: PGP signature
Bug#1054189: bullseye-pu: package debian-security-support/1:11+2023.10.17
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-security-supp...@packages.debian.org
Control: affects -1 + src:debian-security-support
Dear release team,
[ Reason ]
The reasons for this proposed update are:
* Fix two bugs already solved in bookworm (#986581 and #986333)
* Include samba in the list of packages with limited support (#1053109).
Currently, because of #986581 and #986333, d-d-s's check-support-status
silently ignores "golang*" packages, so users don't get any warning
about their limited support status.
[ Impact ]
Bullseye users will continue to don't get any warning about the limited
support regarding the golang.* packages installed in their systems.
As for the samba-related change, without the upload, users will lose a
change to get informed about its security support situation.
[ Tests ]
The changes include tests to verify #986581 and #986333 have been fixed.
I have also manually verified on a bullseye container how the current
and the proposed packages behave, and I can confirm the issues are
fixed, and I didn't identify any regression.
[ Risks ]
The relevant code has been included in bookworm since its release. They
were fully included in 1:12+2021.09.30:
https://tracker.debian.org/news/1263114/accepted-debian-security-support-11220210930-source-into-unstable/
The only difference in check-suppor-status.in between the proposed
update and bookworm is:
git diff HEAD bookworm -- check-support-status.in
diff --git a/check-support-status.in b/check-support-status.in
index 3ebf5e9..86b080a 100755
--- a/check-support-status.in
+++ b/check-support-status.in
@@ -13,7 +13,7 @@ VERSION='[% VERSION %]'
# Oldest Debian version included in debian-security-support
DEB_LOWEST_VER_ID=9
# Version ID for next Debian stable
-DEB_NEXT_VER_ID=12
+DEB_NEXT_VER_ID=13
if [ -z "$DEBIAN_VERSION" ] ; then
DEBIAN_VERSION="$(cat /etc/debian_version | grep '[0-9.]' | cut -d. -f1)"
So the risk of regression is miminum.
Regarding the change of adding samba in the list of packages with
limited support. That doesn't represent any risk.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
From d/changelog:
* Mark samba support limited to non-AD DC uses cases (Closes: #1053109)
The explanation is found here: https://www.debian.org/security/2021/dsa-5015
* Drop version-based check (Closes: #986581) and update test suite
accordingly. Backport changes made by Sylvain Beucler.
* Match ecosystems with limited support, test case updated. (Closes: #986333)
Backport changes by Sylvain Beucler.
These changes are reflected in check-support-status.in. The tests to
check them are found in t/check-support-status. To fix the relevant
bugs, the changes needed to remove a conditional to avoid comparing
against an installed version. Check that is kind of obsolete, and
didn't have any sense to compare against package name patters.
Second, the changes included the fix to compare against a regex
pattern, and avoid misidentifying packages whose name would match
the non-optimal "golang*". And that is the reason for:
* Use golang.* (as regex) instead of golang* in security-support-limited
[ Other info ]
N/A
Cheers,
-- Santiago
diff -Nru debian-security-support-11+2023.05.04/check-support-status.in
debian-security-support-11+2023.10.17/check-support-status.in
--- debian-security-support-11+2023.05.04/check-support-status.in
2023-05-04 14:27:19.0 -0300
+++ debian-security-support-11+2023.10.17/check-support-status.in
2023-10-17 13:08:20.0 -0300
@@ -175,12 +175,11 @@
# Create intersection
LEFT="$TEMPDIR/left"
-RIGHT="$TEMPDIR/right"
INTERSECTION_LIST="$TEMPDIR/intersection"
[% AWK %] -F'\t' '{print $3}' "$INSTALLED_LIST" | LC_ALL=C sort -u >"$LEFT"
-grep -v '^#' "$LIST" | LC_ALL=C sort | [% AWK %] '{print $1}' >"$RIGHT"
+PATTERNS=$(grep -vP '^(#|$)' "$LIST" | [% AWK %] '{print $1}' | paste -sd'|')
-LC_ALL=C comm -12 "$LEFT" "$RIGHT" >"$INTERSECTION_LIST"
+LC_ALL=C grep -P -x -e "$PATTERNS" "$LEFT" >"$INTERSECTION_LIST" || true
if [ ! -s "$INTERSECTION_LIST" ] ; then
# nothing to do
exit 0
@@ -190,9 +189,14 @@
mkdir -p "$TD"
cat "$INTERSECTION_LIST" | while read SRC_NAME ; do
+LINE=$(grep -vP '^(#|$)' "$LIST" | while read pattern rest ; do
+if echo $SRC_NAME | grep -q -P -x -e "$pattern" ; then
+echo "$pattern $rest"
+break
+fi
+done)
IFS="$(printf '\nx')"
IFS="${IFS%x}"
-LINE="$([% AWK %] '($1=="'"$SRC_NAME"'"){print}' "$LIST" | head -1)"
case "$TYPE" in
earlyend)
TMP_WHEN="$(echo "$LINE" | [% AWK %] '{print $3}')"
@@ -256,34 +260,28 @@
