Re: Security issue in groovy<2.5.0
Le 7/09/2017 à 20:40, Felix Natter a écrit : > I have backported the single GROOVY-8163 [1] [2] commit (plus a missing > import), and pushed the result here: > https://anonscm.debian.org/cgit/pkg-java/groovy.git > > [1] https://issues.apache.org/jira/browse/GROOVY-8163 > [2] > https://github.com/apache/groovy/commit/0305a38a0cc8f4190a1486c460ebc6f712ad1a07 > > I have tested this extensively with freeplane. Thanks ! > Could someone please consider sponsoring this? I'll upload the package. > I assumed a QA upload because lintian complains about missing Uploader: > and because of Paul Wise's advice. Shall I revert to team upload? Yes please. Emmanuel Bourg
Re: Security issue in groovy<2.5.0
hello Debian-java, Emmanuel Bourg writes: > Le 17/08/2017 à 20:18, Felix Natter a écrit : > >> So the question is: Can I package freeplane without the 'securegroovy' >> library, expecting that groovy 2.5 will be released soon, and will >> shortly after be packaged for Debian? > > Yes ignore securegroovy, we have to directly patch or upgrade our groovy > package in this case. I have backported the single GROOVY-8163 [1] [2] commit (plus a missing import), and pushed the result here: https://anonscm.debian.org/cgit/pkg-java/groovy.git [1] https://issues.apache.org/jira/browse/GROOVY-8163 [2] https://github.com/apache/groovy/commit/0305a38a0cc8f4190a1486c460ebc6f712ad1a07 I have tested this extensively with freeplane. Could someone please consider sponsoring this? I assumed a QA upload because lintian complains about missing Uploader: and because of Paul Wise's advice. Shall I revert to team upload? Thanks and Best Regards, -- Felix Natter debian/rules!
Re: Security issue in groovy<2.5.0
On Thu, Sep 7, 2017 at 12:01 AM, 殷啟聰 | Kai-Chung Yan wrote: > Changing the maintainer to Debian QA Group does not seem incorrect to me. Unfortunately orphaning packages tends to attract deletionists, so you have to be vigilant to ensure the package doesn't get removed from Debian entirely. If no-one on the Java team cares about it, maybe just removing it is fine though. > However, I'm curious about the situation when someone wants to upload a > simple change to an orphaned package. Do people refrain from it or they > simply do a non-maintainer upload? They do a QA upload: https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#nmu-qa-upload -- bye, pabs https://wiki.debian.org/PaulWise
Re: Security issue in groovy<2.5.0
Hello Felix, I agree that the changes are made into a single patch. Now that no human being is actively maintaining this package, I think it is effectively orphaned. pkg-java team is unable to be responsible for the package because nobody *is* pkg-java. Changing the maintainer to Debian QA Group does not seem incorrect to me. However, I'm curious about the situation when someone wants to upload a simple change to an orphaned package. Do people refrain from it or they simply do a non-maintainer upload? Felix Natter 於 2017/9/5 上午3:35 寫道: > 殷啟聰 | Kai-Chung Yan writes: > >> Hello Natter, > hi Kai, > thanks for the reply. > > s/Natter/Felix/g ;-) (my first name is Felix) > >> Since it's just one commit, I suggest you put it as a patch in >> `debian/patches`. When someone is updating the package to 2.5.0, she >> can just remove it. > There is already a 2.4.8-2 in the git pipeline (unreleased) by Miguel > Landaeta (CC): > https://anonscm.debian.org/cgit/pkg-java/groovy.git > > In the corresponding bug for 2.4.8-2 (#871857) Miguel says: > > "I removed myself from uploaders list and prepared a tentative QA upload > but I didn't upload it to the archive since the resulting package would > be in violation of Debian Policy (§3.3 and §5.6.3). I'd appreciate if > somebody else can step in as maintainer." > > Policy §5.6.3 says: > "This is normally an optional field, but if the Maintainer control field > names a group of people and a shared email address, the Uploaders field > must be present and must contain at least one human with their personal > email address." > > --> groovy currently only has: > Maintainer: Debian Java Maintainers > > (no Uploader:) > which seems to violate §5.6.3. So how can we make a policy-compliant > team upload without becoming maintainer (I'd like to avoid taking over > groovy maintainership if possible)? > > Shall we set > Maintainer: Debian QA Group > according to Policy §3.3, even if we usually do team uploads? > > Other than that: @Miguel, @Emmanuel, @Kai: do you agree to make a simple > 2.4.8-2 release with Miguel's changes only adding that patch? > > Thanks and Best Regards, signature.asc Description: OpenPGP digital signature
Re: Security issue in groovy<2.5.0
Hi, On Monday, September 4, 2017 09:35:46 PM CEST Felix Natter wrote: > > [...] > > which seems to violate §5.6.3. So how can we make a policy-compliant > team upload without becoming maintainer (I'd like to avoid taking over > groovy maintainership if possible)? > > Shall we set > Maintainer: Debian QA Group > according to Policy §3.3, even if we usually do team uploads? The Debian Java team should be kept as maintainer since groovy is not being orphaned. It's only the uploaders list that is not correct anymore. > Other than that: @Miguel, @Emmanuel, @Kai: do you agree to make a simple > 2.4.8-2 release with Miguel's changes only adding that patch? I'm just curious here, but what's the upstream rationale to don't release a hot fix for groovy if we are talking about a security issue? I agree with including the patch, especially if it's already merged at upstream and scheduled to be included in 2.5.0. Cheers, Miguel. -- Miguel Landaeta, nomadium at debian.org secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key. "Faith means not wanting to know what is true." -- Nietzsche signature.asc Description: Digital signature
Re: Security issue in groovy<2.5.0
殷啟聰 | Kai-Chung Yan writes: > Hello Natter, hi Kai, thanks for the reply. s/Natter/Felix/g ;-) (my first name is Felix) > Since it's just one commit, I suggest you put it as a patch in > `debian/patches`. When someone is updating the package to 2.5.0, she > can just remove it. There is already a 2.4.8-2 in the git pipeline (unreleased) by Miguel Landaeta (CC): https://anonscm.debian.org/cgit/pkg-java/groovy.git In the corresponding bug for 2.4.8-2 (#871857) Miguel says: "I removed myself from uploaders list and prepared a tentative QA upload but I didn't upload it to the archive since the resulting package would be in violation of Debian Policy (§3.3 and §5.6.3). I'd appreciate if somebody else can step in as maintainer." Policy §5.6.3 says: "This is normally an optional field, but if the Maintainer control field names a group of people and a shared email address, the Uploaders field must be present and must contain at least one human with their personal email address." --> groovy currently only has: Maintainer: Debian Java Maintainers (no Uploader:) which seems to violate §5.6.3. So how can we make a policy-compliant team upload without becoming maintainer (I'd like to avoid taking over groovy maintainership if possible)? Shall we set Maintainer: Debian QA Group according to Policy §3.3, even if we usually do team uploads? Other than that: @Miguel, @Emmanuel, @Kai: do you agree to make a simple 2.4.8-2 release with Miguel's changes only adding that patch? Thanks and Best Regards, -- Felix Natter debian/rules!
Re: Security issue in groovy<2.5.0
Hello Natter, Since it's just one commit, I suggest you put it as a patch in `debian/patches`. When someone is updating the package to 2.5.0, she can just remove it. Felix Natter 於 2017/9/2 下午10:35 寫道: > hello Emmanuel, > > Felix Natter writes: >>> Le 26/08/2017 à 18:14, Felix Natter a écrit : >>> The problem is that it may take weeks/months for groovy 2.5 to be released, and weeks/months until it's packaged for Debian. >>> How big is the fix for Groovy? Do you know which commits should be >>> backported? >> It's a single (but nontrivial) commit: >> https://github.com/apache/groovy/commit/0305a38a0cc8f4190a1486c460ebc6f712ad1a07 >> >> The groovy people decided not to backport to groovy 2.4.x, so I am not >> sure whether we shall do it? > Is there any update on this? What shall I do? > I don't mean to be impatient, I was just not sure whether you've seen > this. > > Thanks and Best Regards, signature.asc Description: OpenPGP digital signature
Re: Security issue in groovy<2.5.0
hello Emmanuel, Felix Natter writes: >> Le 26/08/2017 à 18:14, Felix Natter a écrit : >> >>> The problem is that it may take weeks/months for groovy 2.5 to be >>> released, and weeks/months until it's packaged for Debian. >> >> How big is the fix for Groovy? Do you know which commits should be >> backported? > > It's a single (but nontrivial) commit: > https://github.com/apache/groovy/commit/0305a38a0cc8f4190a1486c460ebc6f712ad1a07 > > The groovy people decided not to backport to groovy 2.4.x, so I am not > sure whether we shall do it? Is there any update on this? What shall I do? I don't mean to be impatient, I was just not sure whether you've seen this. Thanks and Best Regards, -- Felix Natter debian/rules!
Re: Security issue in groovy<2.5.0
Thorsten Glaser writes: > On Sat, 26 Aug 2017, Felix Natter wrote: hi Thorsten, >> OTOH, this is for Debian unstable/testing... > > Debian unstable is where you upload things to that you expect > to be part of the next Debian stable, and thus in an appropriate > shape; it might make sense for experimental though? This post is about considering to patch groovy-2.4 to fix a sandbox escape in that version, which the groovy people did not want to patch in 2.4.x, but it will be part of 2.5.x. I meant that we might consider using the patch on Debian testing/unstable, because unlike upstream groovy 2.4.x it won't be used in a stable environment soon (i.e. until 2.5.0 is released). Of course, this might neglect Ubuntu releases. Best Regards, -- Felix Natter debian/rules!
Re: Security issue in groovy<2.5.0
On Sat, 26 Aug 2017, Felix Natter wrote: > OTOH, this is for Debian unstable/testing... Debian unstable is where you upload things to that you expect to be part of the next Debian stable, and thus in an appropriate shape; it might make sense for experimental though? bye, //mirabilos -- 15:41⎜ Somebody write a testsuite for helloworld :-)
Re: Security issue in groovy<2.5.0
Felix Natter writes: > Emmanuel Bourg writes: > > hi Emmanuel, > >> Le 26/08/2017 à 18:14, Felix Natter a écrit : >> >>> The problem is that it may take weeks/months for groovy 2.5 to be >>> released, and weeks/months until it's packaged for Debian. >> >> How big is the fix for Groovy? Do you know which commits should be >> backported? > > It's a single (but nontrivial) commit: > https://github.com/apache/groovy/commit/0305a38a0cc8f4190a1486c460ebc6f712ad1a07 > > The groovy people decided not to backport to groovy 2.4.x, so I am not > sure whether we shall do it? OTOH, this is for Debian unstable/testing... Cheers and Best Regards, -- Felix Natter
Re: Security issue in groovy<2.5.0
Emmanuel Bourg writes: hi Emmanuel, > Le 26/08/2017 à 18:14, Felix Natter a écrit : > >> The problem is that it may take weeks/months for groovy 2.5 to be >> released, and weeks/months until it's packaged for Debian. > > How big is the fix for Groovy? Do you know which commits should be > backported? It's a single (but nontrivial) commit: https://github.com/apache/groovy/commit/0305a38a0cc8f4190a1486c460ebc6f712ad1a07 The groovy people decided not to backport to groovy 2.4.x, so I am not sure whether we shall do it? Thanks and Best Regards, -- Felix Natter
Re: Security issue in groovy<2.5.0
Le 26/08/2017 à 18:14, Felix Natter a écrit : > The problem is that it may take weeks/months for groovy 2.5 to be > released, and weeks/months until it's packaged for Debian. How big is the fix for Groovy? Do you know which commits should be backported? Emmanuel Bourg
Re: Security issue in groovy<2.5.0
Emmanuel Bourg writes: > Le 17/08/2017 à 20:18, Felix Natter a écrit : hi Emmanuel, >> So the question is: Can I package freeplane without the 'securegroovy' >> library, expecting that groovy 2.5 will be released soon, and will >> shortly after be packaged for Debian? > > Yes ignore securegroovy, we have to directly patch or upgrade our groovy > package in this case. The problem is that it may take weeks/months for groovy 2.5 to be released, and weeks/months until it's packaged for Debian. I would like to package freeplane 1.6.5 this/next week, and I guess freeplane users expect that this version is safe. So shall I package securegroovy, and throw it away soon? Cheers and Best Regards, -- Felix Natter
Re: Security issue in groovy<2.5.0
Le 17/08/2017 à 20:18, Felix Natter a écrit : > So the question is: Can I package freeplane without the 'securegroovy' > library, expecting that groovy 2.5 will be released soon, and will > shortly after be packaged for Debian? Yes ignore securegroovy, we have to directly patch or upgrade our groovy package in this case. Emmanuel Bourg
Security issue in groovy<2.5.0
hello debian-java, freeplane 1.5/1.6 added a library [1] which uses byte-buddy to fix a security problem in groovy < 2.5.0 [2]. The fix will be included in groovy 2.5, which should be released soon (currently at 2.5.0-beta-2). So the question is: Can I package freeplane without the 'securegroovy' library, expecting that groovy 2.5 will be released soon, and will shortly after be packaged for Debian? [1] https://github.com/dpolivaev/securegroovy/ [2] https://issues.apache.org/jira/browse/GROOVY-8163 (freeplane maps include groovy scripts which can escape the sandbox) Thanks and Best Regards, -- Felix Natter
