Re: PHP security upload not included in 6.0.9
Thijs Kinkhorst th...@debian.org writes: On Mon, February 17, 2014 09:45, Lior Kaplan wrote: 1. First time I encounter this problem, any idea where can I see the buildd logs for these security uploads to see why haven't they built fine. The security team receives those. I'll forward them to you for this case. 2. I see there are only a few of similar cases, would be nice to have them caught and generate some notification - finding out only when a fix doesn't go into a stable update sounds expensive to me (project benefit wise). In general terms, the security team monitors what builds fail and tries to involve the respective porters and maintainers; it seems in this case that wasn't (yet) done. I would expect the buildd admins to also actively monitor what fails on their archs but I'm not sure that actually happens for all archs. buildd maintainers actually do not get build logs for security. At least not with the setup documented when kfreebsd-* was set up so we tend to not see any normal failures. Can of course be changed if that's what security@ wants. Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87y5113dnb@anonymous.siccegge.de
Re: PHP security upload not included in 6.0.9
On Mon, Feb 17, 2014 at 9:42 AM, Adam D. Barratt a...@adam-barratt.org.ukwrote: On Mon, 2014-02-17 at 01:38 +0200, Lior Kaplan wrote: I saw the happy notice about 6.0.9 release, and wondered why isn't php5 (5.3.3-7+squeeze18) part of this update (uploaded in December). This was due to the fact that the package has not yet successfully built on kfreebsd-*, as can be seen from https://release.debian.org/proposed-updates/oldstable.html Thanks Adam. 1. First time I encounter this problem, any idea where can I see the buildd logs for these security uploads to see why haven't they built fine. 2. I see there are only a few of similar cases, would be nice to have them caught and generate some notification - finding out only when a fix doesn't go into a stable update sounds expensive to me (project benefit wise). Kaplan
Re: PHP security upload not included in 6.0.9
Hi Lior, On Mon, February 17, 2014 09:45, Lior Kaplan wrote: 1. First time I encounter this problem, any idea where can I see the buildd logs for these security uploads to see why haven't they built fine. The security team receives those. I'll forward them to you for this case. 2. I see there are only a few of similar cases, would be nice to have them caught and generate some notification - finding out only when a fix doesn't go into a stable update sounds expensive to me (project benefit wise). In general terms, the security team monitors what builds fail and tries to involve the respective porters and maintainers; it seems in this case that wasn't (yet) done. I would expect the buildd admins to also actively monitor what fails on their archs but I'm not sure that actually happens for all archs. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/9d47579c117b833d7e671cad7fed4228.squir...@aphrodite.kinkhorst.nl
Re: PHP security upload not included in 6.0.9
On 2014-02-17 8:45, Lior Kaplan wrote: On Mon, Feb 17, 2014 at 9:42 AM, Adam D. Barratt a...@adam-barratt.org.uk wrote: On Mon, 2014-02-17 at 01:38 +0200, Lior Kaplan wrote: I saw the happy notice about 6.0.9 release, and wondered why isn't php5 (5.3.3-7+squeeze18) part of this update (uploaded in December). This was due to the fact that the package has not yet successfully built on kfreebsd-*, as can be seen from https://release.debian.org/proposed-updates/oldstable.html [1] Thanks Adam. 1. First time I encounter this problem, any idea where can I see the buildd logs for these security uploads to see why haven't they built fine. Logs for security builds aren't publicly available; you could try asking the security team. 2. I see there are only a few of similar cases, would be nice to have them caught and generate some notification The security team periodically check for packages that are available in the security archive but have not made it to ftp-master. In this case the packages aren't available in the security archive either; I'd expect that they also check those. - finding out only when a fix doesn't go into a stable update sounds expensive to me (project benefit wise). Having the fixes included in a stable update is mostly convenience. The packages are already available (at least on the architectures where they build okay) from the security archive, which everyone running {old,}stable should be checking. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ccd7f45654011a82bb7a3138e8e2b...@mail.adsl.funky-badger.org
PHP security upload not included in 6.0.9
Dear release team, I saw the happy notice about 6.0.9 release, and wondered why isn't php5 (5.3.3-7+squeeze18) part of this update (uploaded in December). Also see this: http://qa.debian.org/madison.php?package=php5 The changes log (taken from the our VCS) has two CVEs: * [CVE-2013-6420]: Fix memory corruption in openssl_x509_parse (Closes: #731895) * [CVE-2013-6712] Fix heap buffer over-read in DateInterval (Closes: #731112) Thanks, Kaplan
Re: PHP security upload not included in 6.0.9
On Mon, 2014-02-17 at 01:38 +0200, Lior Kaplan wrote: I saw the happy notice about 6.0.9 release, and wondered why isn't php5 (5.3.3-7+squeeze18) part of this update (uploaded in December). This was due to the fact that the package has not yet successfully built on kfreebsd-*, as can be seen from https://release.debian.org/proposed-updates/oldstable.html Also see this: http://qa.debian.org/madison.php?package=php5 Amending that query slightly to http://qa.debian.org/madison.php?package=php5S=on also shows that +squeeze18 is missing builds. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1392622964.32573.25.ca...@jacala.jungle.funky-badger.org