subject:"Bug#799019\: jessie\-pu\: package golang\/2\:1.3.3\-1\+deb8u1"

Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

2015-11-05 Thread Adam D. Barratt

Control: tags -1 + moreinfo

On Tue, 2015-09-15 at 13:36 -0700, Tianon Gravi wrote:
> On 15 September 2015 at 12:15, Julien Cristau  wrote:
> > Does this involve rebuilding reverse dependencies?
> 
> Unfortunately, yes.  We could skip arch:all since those are going to
> be -dev packages that contain source, but any actual binaries would
> need to be rebuilt.

Do you have an estimate of how many packages that would be? I looked at
the output of "dak rm -Rn -s stable golang" and made various sad faces.

(Also, do -dev packages that are architecture-dependent also need
rebuilding? I wasn't clear from your description, but for instance:

golang-websocket-dev | 0.0~git20140119-1   | stable  | amd64, 
armel, armhf, i386
golang-websocket-dev | 0.0~git20150811.0.b6ab76f-1 | testing | all
golang-websocket-dev | 0.0~git20150811.0.b6ab76f-1 | unstable| all
)

> To Salvatore's comment, I'd be happy to update to include the fix for
> that too if RT is OK with it. :)  (Meanwhile will work on getting a
> fix for it into unstable.)

It doesn't look like that happened yet? (Or the Security Tracker hasn't
been updated.)

Regards,

Adam

Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

2015-11-05 Thread Salvatore Bonaccorso

Hi Tianon,

On Thu, Nov 05, 2015 at 06:41:54AM -0800, Tianon Gravi wrote:
> I think this is a case of the security tracker not being updated:
> 
> | golang (2:1.4.3-1) unstable; urgency=medium
> |
> |  * New upstream version
> (https://golang.org/doc/devel/release.html#go1.4.minor)
> |- includes previous CVE and non-CVE security fixes, especially
> |  TEMP-000-1C4729
> |
> |  -- Tianon Gravi   Fri, 25 Sep 2015 00:02:31 -0700
> 
> (Upstream made a 1.4.3 release that is 1.4.2 + CVE and security fixes.)

Thanks for the notice. I have update the security-tracker side for
this. Btw, please do not use these TEMP identifiers, they are not
meant to be stable at any rate. E.g. if we fill a but in the BTS they
will already change.

Regards,
Salvatore

Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

2015-11-05 Thread Tianon Gravi

On 5 November 2015 at 08:08, Salvatore Bonaccorso  wrote:
> Thanks for the notice. I have update the security-tracker side for
> this. Btw, please do not use these TEMP identifiers, they are not
> meant to be stable at any rate. E.g. if we fill a but in the BTS they
> will already change.

Doh, sorry!  I was trying to make sure I referenced it identifiably
since it didn't have any other real identifier.  Now I know. >.<

♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

2015-11-05 Thread Tianon Gravi

On 5 November 2015 at 06:23, Adam D. Barratt  wrote:
> Do you have an estimate of how many packages that would be? I looked at
> the output of "dak rm -Rn -s stable golang" and made various sad faces.

That sad face is 100% warranted. :(  I don't know the number off-hand,
but I imagine it's pretty large by now.

> (Also, do -dev packages that are architecture-dependent also need
> rebuilding? I wasn't clear from your description, but for instance:
>
> golang-websocket-dev | 0.0~git20140119-1   | stable  | amd64, 
> armel, armhf, i386
> golang-websocket-dev | 0.0~git20150811.0.b6ab76f-1 | testing | all
> golang-websocket-dev | 0.0~git20150811.0.b6ab76f-1 | unstable| all
> )

Right -- I meant -dev packages which are arch:all, since they're going
to just be full of .go files.  Any that aren't _probably_ contain a
binary, and thus would need a rebuild (or a maintainer made a mistake
and it's really supposed to be an arch:all package, but I don't think
we've got many of those left).

>> To Salvatore's comment, I'd be happy to update to include the fix for
>> that too if RT is OK with it. :)  (Meanwhile will work on getting a
>> fix for it into unstable.)
>
> It doesn't look like that happened yet? (Or the Security Tracker hasn't
> been updated.)

I think this is a case of the security tracker not being updated:

| golang (2:1.4.3-1) unstable; urgency=medium
|
|  * New upstream version
(https://golang.org/doc/devel/release.html#go1.4.minor)
|- includes previous CVE and non-CVE security fixes, especially
|  TEMP-000-1C4729
|
|  -- Tianon Gravi   Fri, 25 Sep 2015 00:02:31 -0700

(Upstream made a 1.4.3 release that is 1.4.2 + CVE and security fixes.)

♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

2015-09-15 Thread Julien Cristau

On Mon, Sep 14, 2015 at 17:18:30 -0700, Tianon Gravi wrote:

> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: pu
> Tags: jessie
> Severity: normal
> 
> Hi!
> 
> "src:golang" has recently had a group of non-critical CVEs (#795106);
> I've finally got a fix in unstable now, but the security team
> requested[1] that I also propose an upload to s-p-u also to update
> jessie.
> 
Does this involve rebuilding reverse dependencies?

Cheers,
Julien


signature.asc
Description: Digital signature

Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

2015-09-15 Thread Tianon Gravi

On 15 September 2015 at 12:15, Julien Cristau  wrote:
> Does this involve rebuilding reverse dependencies?

Unfortunately, yes.  We could skip arch:all since those are going to
be -dev packages that contain source, but any actual binaries would
need to be rebuilt.

To Salvatore's comment, I'd be happy to update to include the fix for
that too if RT is OK with it. :)  (Meanwhile will work on getting a
fix for it into unstable.)

♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

2015-09-14 Thread Salvatore Bonaccorso

Hi Tianon,

On Mon, Sep 14, 2015 at 05:18:30PM -0700, Tianon Gravi wrote:
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: pu
> Tags: jessie
> Severity: normal
> 
> Hi!
> 
> "src:golang" has recently had a group of non-critical CVEs (#795106);
> I've finally got a fix in unstable now, but the security team
> requested[1] that I also propose an upload to s-p-u also to update
> jessie.
> 
> I've attached the proposed debdiff -- the only functional change is
> the addition of the .patch file containing the three backported
> upstream commits to fix the CVEs.
> 
> [1]: https://bugs.debian.org/795106#45
> 
> Thanks for your consideration!

Remark: not spaeking as Release Team member, just "outsider": could
you as well include the fix for the issue without CVE, see:

https://security-tracker.debian.org/tracker/source-package/golang

(it needs to be addressed as well in unstable before though).

Regards,
Salvatore

Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

2015-09-14 Thread Tianon Gravi

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

Hi!

"src:golang" has recently had a group of non-critical CVEs (#795106);
I've finally got a fix in unstable now, but the security team
requested[1] that I also propose an upload to s-p-u also to update
jessie.

I've attached the proposed debdiff -- the only functional change is
the addition of the .patch file containing the three backported
upstream commits to fix the CVEs.

[1]: https://bugs.debian.org/795106#45

Thanks for your consideration!

♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4


golang_2:1.3.3-1.debdiff
Description: Binary data

Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

Bug#799019: jessie-pu: package golang/2:1.3.3-1+deb8u1

8 matches

Site Navigation

Mail list logo

Footer information