Bug#1040714: dhcpcd: Missing epoch from souce package version
Hi, 在 2023-07-11星期二的 21:54 +0200,Salvatore Bonaccorso写道: > Hi, > > On Tue, Jul 11, 2023 at 10:37:44PM +0300, Martin-Éric Racine wrote: > > On Tue, Jul 11, 2023 at 10:05 PM Salvatore Bonaccorso > > wrote: > > > On Tue, Jul 11, 2023 at 06:30:38PM +0300, Martin-Éric Racine wrote: > > > > Reintroducing the epoch produces the following Lintian ERROR: > > > > > > > > E: dhcpcd source: > > > > epoch-changed-but-upstream-version-did-not-go-backwards 10.0.1-2 -> > > > > 1:10.0.1-3 [debian/changelog:1] > > > > > > The lintian tag in it's intention is clear. But I believe in this case > > > it reports in error. Because the history of the dhcpcd source package > > > is as follows, cutting of some irrelevant inbetween steps: > > > > > > 0.4-1 -> 1.3.8-0.1 -> 1:0.70-5 (epoch introduced here), then moved > > > upwards -> 1:3.2.3-11 / 1:3.2.3-11+deb7u1 which was the last version > > > available for a while. > > > > > > But then we dropped to 10.0.1-1 (which already missed the epoch). > > > > > > Now the lintian just only checks 10.0.1-2 -> 1:10.0.1-3 and thinks to > > > report that the epoch addition is an error, but it would not if all > > > the 10.0.1-1, 10.0.1-2 versions already had the epoch still. > > > > > > Does this make sense? > > > > Makes sense to me. > > > > Uploaded to Mentors. Please note that Mentors forces me to 'debuild > > -sa' because it cannot find the 'orig' on its repository even though > > it's already in unstable. > > Thanks! Boyuan (CC'ed), can you take it from there and would you be > willing to sponsor Martin-Éric's work as you did for the previous two > uploads? Thanks. Reviewed and uploaded. Best, Boyuan Yang signature.asc Description: This is a digitally signed message part
Bug#1040714: dhcpcd: Missing epoch from souce package version
Hi, On Tue, Jul 11, 2023 at 10:37:44PM +0300, Martin-Éric Racine wrote: > On Tue, Jul 11, 2023 at 10:05 PM Salvatore Bonaccorso > wrote: > > On Tue, Jul 11, 2023 at 06:30:38PM +0300, Martin-Éric Racine wrote: > > > Reintroducing the epoch produces the following Lintian ERROR: > > > > > > E: dhcpcd source: > > > epoch-changed-but-upstream-version-did-not-go-backwards 10.0.1-2 -> > > > 1:10.0.1-3 [debian/changelog:1] > > > > The lintian tag in it's intention is clear. But I believe in this case > > it reports in error. Because the history of the dhcpcd source package > > is as follows, cutting of some irrelevant inbetween steps: > > > > 0.4-1 -> 1.3.8-0.1 -> 1:0.70-5 (epoch introduced here), then moved > > upwards -> 1:3.2.3-11 / 1:3.2.3-11+deb7u1 which was the last version > > available for a while. > > > > But then we dropped to 10.0.1-1 (which already missed the epoch). > > > > Now the lintian just only checks 10.0.1-2 -> 1:10.0.1-3 and thinks to > > report that the epoch addition is an error, but it would not if all > > the 10.0.1-1, 10.0.1-2 versions already had the epoch still. > > > > Does this make sense? > > Makes sense to me. > > Uploaded to Mentors. Please note that Mentors forces me to 'debuild > -sa' because it cannot find the 'orig' on its repository even though > it's already in unstable. Thanks! Boyuan (CC'ed), can you take it from there and would you be willing to sponsor Martin-Éric's work as you did for the previous two uploads? Regards, Salvatore
Bug#1040714: dhcpcd: Missing epoch from souce package version
On Tue, Jul 11, 2023 at 10:05 PM Salvatore Bonaccorso wrote: > On Tue, Jul 11, 2023 at 06:30:38PM +0300, Martin-Éric Racine wrote: > > Reintroducing the epoch produces the following Lintian ERROR: > > > > E: dhcpcd source: > > epoch-changed-but-upstream-version-did-not-go-backwards 10.0.1-2 -> > > 1:10.0.1-3 [debian/changelog:1] > > The lintian tag in it's intention is clear. But I believe in this case > it reports in error. Because the history of the dhcpcd source package > is as follows, cutting of some irrelevant inbetween steps: > > 0.4-1 -> 1.3.8-0.1 -> 1:0.70-5 (epoch introduced here), then moved > upwards -> 1:3.2.3-11 / 1:3.2.3-11+deb7u1 which was the last version > available for a while. > > But then we dropped to 10.0.1-1 (which already missed the epoch). > > Now the lintian just only checks 10.0.1-2 -> 1:10.0.1-3 and thinks to > report that the epoch addition is an error, but it would not if all > the 10.0.1-1, 10.0.1-2 versions already had the epoch still. > > Does this make sense? Makes sense to me. Uploaded to Mentors. Please note that Mentors forces me to 'debuild -sa' because it cannot find the 'orig' on its repository even though it's already in unstable. Martin-Éric
Bug#1040714: dhcpcd: Missing epoch from souce package version
Hi martin-Eric, On Tue, Jul 11, 2023 at 06:30:38PM +0300, Martin-Éric Racine wrote: > On Mon, Jul 10, 2023 at 7:30 PM Martin-Éric Racine > wrote: > > > > On Mon, Jul 10, 2023 at 7:05 PM Salvatore Bonaccorso > > wrote: > > > On Sun, Jul 09, 2023 at 10:39:59PM +0300, Martin-Éric Racine wrote: > > > > On Sun, Jul 9, 2023 at 10:33 PM Salvatore Bonaccorso > > > > wrote: > > > > > On Sun, Jul 09, 2023 at 09:25:33PM +0200, Salvatore Bonaccorso wrote: > > > > > > Source: dhcpcd > > > > > > Version: 10.0.1-1 > > > > > > Severity: serious > > > > > > Justification: Debian version goes backwards from previous released > > > > > > versions > > > > > > X-Debbugs-Cc: car...@debian.org > > > > > > > > > > > > Hi > > > > > > > > > > > > The new src:dhcpcd has a lower version of any previous released > > > > > > src:dhcpd version, which had an epoch: > > > > > > > > > > Apologies for the typo, should be src:dhcpcd in both cases obviously > > > > > :( > > > > > > > > Which is a slightly different issue than what Andtreas reported at > > > > #1037190. Sorry. > > > > > > No problem, just reopenng while we discuss it. > > > > Agreed. > > > > > > Unless I'm mistaken, we're basically looking at 2 separate issues: > > > > > > > > 1) bin:dhcpcd from Wheezy has a higher epoch that the one in Bookworm. > > > > This is easily fixed as explained in #1037190 for Bookworm. > > > > > > > > 2) Since transiting the source from src:dhcpcd5 to src:dhcpcd we're > > > > missing an epoch for everything. This requires reverting the above fix > > > > and simply introducing an epoch for the whole src and binaries. > > > > > > Yes correct, this is maninly as well what I was referring to. But that > > > would solve as well at same time the former issue right, if we drop > > > all special casing for epoch on the binary packages, is this correct? > > > > In Trixie, for the version, it would. Just insert the epoch for the > > whole source (which would apply to the binaries generated too) and > > we're done. > > > > However, we still need that preinst script to clean up possible Wheezy > > leftovers. > > > > In Bookworm, we'll still need the version mingle just for one binary > > target. debdiff for stable-proposed-updates are on #1037190 and the > > upload is ready on Mentors. > > > > > So if we add the epoch to the whole src;dhcpcd version, and to the > > > produced binaries I think all the issues should be resolved. > > > > > > My background is here: > > > https://security-tracker.debian.org/tracker/source-package/dhcpcd > > > e.g. https://security-tracker.debian.org/tracker/CVE-2002-1403 will be > > > considered not yet fixed, because for dpkg: > > > > > > $ dpkg --compare-versions 1:1.3.22pl2-2 lt 10.0.1-1 > > > $ echo $? > > > 1 > > > > I was actually wondering how to close those old CVE against the old fork. > > > > > > Or have I misunderstood the issue? > > > > > > No, I think we are on the same page in my understnding! > > > > Excellent. > > Reintroducing the epoch produces the following Lintian ERROR: > > E: dhcpcd source: > epoch-changed-but-upstream-version-did-not-go-backwards 10.0.1-2 -> > 1:10.0.1-3 [debian/changelog:1] The lintian tag in it's intention is clear. But I believe in this case it reports in error. Because the history of the dhcpcd source package is as follows, cutting of some irrelevant inbetween steps: 0.4-1 -> 1.3.8-0.1 -> 1:0.70-5 (epoch introduced here), then moved upwards -> 1:3.2.3-11 / 1:3.2.3-11+deb7u1 which was the last version available for a while. But then we dropped to 10.0.1-1 (which already missed the epoch). Now the lintian just only checks 10.0.1-2 -> 1:10.0.1-3 and thinks to report that the epoch addition is an error, but it would not if all the 10.0.1-1, 10.0.1-2 versions already had the epoch still. Does this make sense? Regards, Salvatore
Bug#1040714: dhcpcd: Missing epoch from souce package version
On Mon, Jul 10, 2023 at 7:30 PM Martin-Éric Racine wrote: > > On Mon, Jul 10, 2023 at 7:05 PM Salvatore Bonaccorso > wrote: > > On Sun, Jul 09, 2023 at 10:39:59PM +0300, Martin-Éric Racine wrote: > > > On Sun, Jul 9, 2023 at 10:33 PM Salvatore Bonaccorso > > > wrote: > > > > On Sun, Jul 09, 2023 at 09:25:33PM +0200, Salvatore Bonaccorso wrote: > > > > > Source: dhcpcd > > > > > Version: 10.0.1-1 > > > > > Severity: serious > > > > > Justification: Debian version goes backwards from previous released > > > > > versions > > > > > X-Debbugs-Cc: car...@debian.org > > > > > > > > > > Hi > > > > > > > > > > The new src:dhcpcd has a lower version of any previous released > > > > > src:dhcpd version, which had an epoch: > > > > > > > > Apologies for the typo, should be src:dhcpcd in both cases obviously > > > > :( > > > > > > Which is a slightly different issue than what Andtreas reported at > > > #1037190. Sorry. > > > > No problem, just reopenng while we discuss it. > > Agreed. > > > > Unless I'm mistaken, we're basically looking at 2 separate issues: > > > > > > 1) bin:dhcpcd from Wheezy has a higher epoch that the one in Bookworm. > > > This is easily fixed as explained in #1037190 for Bookworm. > > > > > > 2) Since transiting the source from src:dhcpcd5 to src:dhcpcd we're > > > missing an epoch for everything. This requires reverting the above fix > > > and simply introducing an epoch for the whole src and binaries. > > > > Yes correct, this is maninly as well what I was referring to. But that > > would solve as well at same time the former issue right, if we drop > > all special casing for epoch on the binary packages, is this correct? > > In Trixie, for the version, it would. Just insert the epoch for the > whole source (which would apply to the binaries generated too) and > we're done. > > However, we still need that preinst script to clean up possible Wheezy > leftovers. > > In Bookworm, we'll still need the version mingle just for one binary > target. debdiff for stable-proposed-updates are on #1037190 and the > upload is ready on Mentors. > > > So if we add the epoch to the whole src;dhcpcd version, and to the > > produced binaries I think all the issues should be resolved. > > > > My background is here: > > https://security-tracker.debian.org/tracker/source-package/dhcpcd > > e.g. https://security-tracker.debian.org/tracker/CVE-2002-1403 will be > > considered not yet fixed, because for dpkg: > > > > $ dpkg --compare-versions 1:1.3.22pl2-2 lt 10.0.1-1 > > $ echo $? > > 1 > > I was actually wondering how to close those old CVE against the old fork. > > > > Or have I misunderstood the issue? > > > > No, I think we are on the same page in my understnding! > > Excellent. Reintroducing the epoch produces the following Lintian ERROR: E: dhcpcd source: epoch-changed-but-upstream-version-did-not-go-backwards 10.0.1-2 -> 1:10.0.1-3 [debian/changelog:1] Martin-Éric
Bug#1040714: dhcpcd: Missing epoch from souce package version
On Mon, Jul 10, 2023 at 7:05 PM Salvatore Bonaccorso wrote: > On Sun, Jul 09, 2023 at 10:39:59PM +0300, Martin-Éric Racine wrote: > > On Sun, Jul 9, 2023 at 10:33 PM Salvatore Bonaccorso > > wrote: > > > On Sun, Jul 09, 2023 at 09:25:33PM +0200, Salvatore Bonaccorso wrote: > > > > Source: dhcpcd > > > > Version: 10.0.1-1 > > > > Severity: serious > > > > Justification: Debian version goes backwards from previous released > > > > versions > > > > X-Debbugs-Cc: car...@debian.org > > > > > > > > Hi > > > > > > > > The new src:dhcpcd has a lower version of any previous released > > > > src:dhcpd version, which had an epoch: > > > > > > Apologies for the typo, should be src:dhcpcd in both cases obviously > > > :( > > > > Which is a slightly different issue than what Andtreas reported at > > #1037190. Sorry. > > No problem, just reopenng while we discuss it. Agreed. > > Unless I'm mistaken, we're basically looking at 2 separate issues: > > > > 1) bin:dhcpcd from Wheezy has a higher epoch that the one in Bookworm. > > This is easily fixed as explained in #1037190 for Bookworm. > > > > 2) Since transiting the source from src:dhcpcd5 to src:dhcpcd we're > > missing an epoch for everything. This requires reverting the above fix > > and simply introducing an epoch for the whole src and binaries. > > Yes correct, this is maninly as well what I was referring to. But that > would solve as well at same time the former issue right, if we drop > all special casing for epoch on the binary packages, is this correct? In Trixie, for the version, it would. Just insert the epoch for the whole source (which would apply to the binaries generated too) and we're done. However, we still need that preinst script to clean up possible Wheezy leftovers. In Bookworm, we'll still need the version mingle just for one binary target. debdiff for stable-proposed-updates are on #1037190 and the upload is ready on Mentors. > So if we add the epoch to the whole src;dhcpcd version, and to the > produced binaries I think all the issues should be resolved. > > My background is here: > https://security-tracker.debian.org/tracker/source-package/dhcpcd > e.g. https://security-tracker.debian.org/tracker/CVE-2002-1403 will be > considered not yet fixed, because for dpkg: > > $ dpkg --compare-versions 1:1.3.22pl2-2 lt 10.0.1-1 > $ echo $? > 1 I was actually wondering how to close those old CVE against the old fork. > > Or have I misunderstood the issue? > > No, I think we are on the same page in my understnding! Excellent. Martin-Éric
Processed: Re: Bug#1040714: dhcpcd: Missing epoch from souce package version
Processing control commands: > reopen -1 Bug #1040714 {Done: Martin-Éric Racine } [src:dhcpcd] dhcpcd: Missing epoch from souce package version Bug reopened Ignoring request to alter fixed versions of bug #1040714 to the same values previously set -- 1040714: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040714 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1040714: dhcpcd: Missing epoch from souce package version
Control: reopen -1 Hi Martin-Eric, On Sun, Jul 09, 2023 at 10:39:59PM +0300, Martin-Éric Racine wrote: > On Sun, Jul 9, 2023 at 10:33 PM Salvatore Bonaccorso > wrote: > > On Sun, Jul 09, 2023 at 09:25:33PM +0200, Salvatore Bonaccorso wrote: > > > Source: dhcpcd > > > Version: 10.0.1-1 > > > Severity: serious > > > Justification: Debian version goes backwards from previous released > > > versions > > > X-Debbugs-Cc: car...@debian.org > > > > > > Hi > > > > > > The new src:dhcpcd has a lower version of any previous released > > > src:dhcpd version, which had an epoch: > > > > Apologies for the typo, should be src:dhcpcd in both cases obviously > > :( > > Which is a slightly different issue than what Andtreas reported at > #1037190. Sorry. No problem, just reopenng while we discuss it. > Unless I'm mistaken, we're basically looking at 2 separate issues: > > 1) bin:dhcpcd from Wheezy has a higher epoch that the one in Bookworm. > This is easily fixed as explained in #1037190 for Bookworm. > > 2) Since transiting the source from src:dhcpcd5 to src:dhcpcd we're > missing an epoch for everything. This requires reverting the above fix > and simply introducing an epoch for the whole src and binaries. Yes correct, this is maninly as well what I was referring to. But that would solve as well at same time the former issue right, if we drop all special casing for epoch on the binary packages, is this correct? So if we add the epoch to the whole src;dhcpcd version, and to the produced binaries I think all the issues should be resolved. My background is here: https://security-tracker.debian.org/tracker/source-package/dhcpcd e.g. https://security-tracker.debian.org/tracker/CVE-2002-1403 will be considered not yet fixed, because for dpkg: $ dpkg --compare-versions 1:1.3.22pl2-2 lt 10.0.1-1 $ echo $? 1 > Or have I misunderstood the issue? No, I tink we are on the same page in my understnding! Thank you for looking into this issue. Regards, Salvatore
Bug#1040714: dhcpcd: Missing epoch from souce package version
Hi, On Sun, Jul 09, 2023 at 10:29:58PM +0300, Martin-Éric Racine wrote: > On Sun, Jul 9, 2023 at 10:27 PM Salvatore Bonaccorso > wrote: > > > > Source: dhcpcd > > Version: 10.0.1-1 > > Severity: serious > > Justification: Debian version goes backwards from previous released versions > > X-Debbugs-Cc: car...@debian.org > > > > Hi > > > > The new src:dhcpcd has a lower version of any previous released > > src:dhcpd version, which had an epoch: > > > > 1:3.2.3-11+deb7u1 > > 1:3.2.3-11 > > 1:3.2.3-10 > > 1:3.2.3-9 > > 1:3.2.3-8 > > 1:3.2.3-7 > > 1:3.2.3-6 > > 1:3.2.3-5+squeeze2 > > 1:3.2.3-5+squeeze1 > > 1:3.2.3-5 > > 1:3.2.3-4 > > 1:3.2.3-3 > > 1:3.2.3-2 > > 1:3.2.3-1.1 > > 1:3.2.3-1 > > 1:3.2.2-1 > > 1:3.0.17-2 > > 1:3.0.17-1 > > 1:2.0.3-1 > > 1:2.0.2-1 > > 1:2.0.1-1 > > 1:2.0.0-2 > > 1:2.0.0-1 > > 1:1.3.22pl4-22 > > 1:1.3.22pl4-21sarge1 > > 1:1.3.22pl4-21 > > 1:1.3.22pl4-20 > > 1:1.3.17pl2-8.1 > > 1:1.3.17pl2-8 > > 1:0.70-5 > > 1.3.8-0.1 > > 0.70-3 > > 0.6-1 > > 0.4-1 > > > > Regards, > > Salvatore > > This was already reported at #1037190. Closing. I'm aware of #1037190. I'm talking though about the *source* package version, not the produced dhcpcd binary packages. That is versions now uploaded are lower than previous ones in the archive for the source package still even if the dhcpcd binary package introduced the epoch. Regards, Salvatore
Bug#1040714: dhcpcd: Missing epoch from souce package version
On Sun, Jul 9, 2023 at 10:33 PM Salvatore Bonaccorso wrote: > On Sun, Jul 09, 2023 at 09:25:33PM +0200, Salvatore Bonaccorso wrote: > > Source: dhcpcd > > Version: 10.0.1-1 > > Severity: serious > > Justification: Debian version goes backwards from previous released versions > > X-Debbugs-Cc: car...@debian.org > > > > Hi > > > > The new src:dhcpcd has a lower version of any previous released > > src:dhcpd version, which had an epoch: > > Apologies for the typo, should be src:dhcpcd in both cases obviously > :( Which is a slightly different issue than what Andtreas reported at #1037190. Sorry. Unless I'm mistaken, we're basically looking at 2 separate issues: 1) bin:dhcpcd from Wheezy has a higher epoch that the one in Bookworm. This is easily fixed as explained in #1037190 for Bookworm. 2) Since transiting the source from src:dhcpcd5 to src:dhcpcd we're missing an epoch for everything. This requires reverting the above fix and simply introducing an epoch for the whole src and binaries. Or have I misunderstood the issue? Martin-Éric
Bug#1040714: dhcpcd: Missing epoch from souce package version
On Sun, Jul 9, 2023 at 10:27 PM Salvatore Bonaccorso wrote: > > Source: dhcpcd > Version: 10.0.1-1 > Severity: serious > Justification: Debian version goes backwards from previous released versions > X-Debbugs-Cc: car...@debian.org > > Hi > > The new src:dhcpcd has a lower version of any previous released > src:dhcpd version, which had an epoch: > > 1:3.2.3-11+deb7u1 > 1:3.2.3-11 > 1:3.2.3-10 > 1:3.2.3-9 > 1:3.2.3-8 > 1:3.2.3-7 > 1:3.2.3-6 > 1:3.2.3-5+squeeze2 > 1:3.2.3-5+squeeze1 > 1:3.2.3-5 > 1:3.2.3-4 > 1:3.2.3-3 > 1:3.2.3-2 > 1:3.2.3-1.1 > 1:3.2.3-1 > 1:3.2.2-1 > 1:3.0.17-2 > 1:3.0.17-1 > 1:2.0.3-1 > 1:2.0.2-1 > 1:2.0.1-1 > 1:2.0.0-2 > 1:2.0.0-1 > 1:1.3.22pl4-22 > 1:1.3.22pl4-21sarge1 > 1:1.3.22pl4-21 > 1:1.3.22pl4-20 > 1:1.3.17pl2-8.1 > 1:1.3.17pl2-8 > 1:0.70-5 > 1.3.8-0.1 > 0.70-3 > 0.6-1 > 0.4-1 > > Regards, > Salvatore This was already reported at #1037190. Closing. Martin-Éric
Bug#1040714: dhcpcd: Missing epoch from souce package version
Hi, On Sun, Jul 09, 2023 at 09:25:33PM +0200, Salvatore Bonaccorso wrote: > Source: dhcpcd > Version: 10.0.1-1 > Severity: serious > Justification: Debian version goes backwards from previous released versions > X-Debbugs-Cc: car...@debian.org > > Hi > > The new src:dhcpcd has a lower version of any previous released > src:dhcpd version, which had an epoch: Apologies for the typo, should be src:dhcpcd in both cases obviously :( Regards, Salvatore
Bug#1040714: dhcpcd: Missing epoch from souce package version
Source: dhcpcd Version: 10.0.1-1 Severity: serious Justification: Debian version goes backwards from previous released versions X-Debbugs-Cc: car...@debian.org Hi The new src:dhcpcd has a lower version of any previous released src:dhcpd version, which had an epoch: 1:3.2.3-11+deb7u1 1:3.2.3-11 1:3.2.3-10 1:3.2.3-9 1:3.2.3-8 1:3.2.3-7 1:3.2.3-6 1:3.2.3-5+squeeze2 1:3.2.3-5+squeeze1 1:3.2.3-5 1:3.2.3-4 1:3.2.3-3 1:3.2.3-2 1:3.2.3-1.1 1:3.2.3-1 1:3.2.2-1 1:3.0.17-2 1:3.0.17-1 1:2.0.3-1 1:2.0.2-1 1:2.0.1-1 1:2.0.0-2 1:2.0.0-1 1:1.3.22pl4-22 1:1.3.22pl4-21sarge1 1:1.3.22pl4-21 1:1.3.22pl4-20 1:1.3.17pl2-8.1 1:1.3.17pl2-8 1:0.70-5 1.3.8-0.1 0.70-3 0.6-1 0.4-1 Regards, Salvatore