Help with a debdiff for tigervnc
Debian have fixed a security bug in tigervnc which is in universe, so someone needs to generate a debdiff for the security team to review it and publish the package: https://bugs.launchpad.net/ubuntu/+source/tigervnc/+bug/2048442 Debian have fixed this by building tigervnc 1.13.1 with xorg-server-source = 2:21.1.10, but Ubuntu 23.10 has tigervnc 1.12.0+dfsg-8 and xorg-server-source 2:21.1.7-3ubuntu2.6 On a good day I can build a .deb from source, but I am not familiar with debdiffs and it is not clear to me that changing the upstream version (either for mantic or noble) is a casual thing to do. What is the next step to get this fix published ? Thanks, -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Help with a debdiff for tigervnc
On 1/21/24 05:41, Andrew C Aitchison wrote: Debian have fixed a security bug in tigervnc which is in universe, so someone needs to generate a debdiff for the security team to review it and publish the package: https://bugs.launchpad.net/ubuntu/+source/tigervnc/+bug/2048442 Debian have fixed this by building tigervnc 1.13.1 with xorg-server-source = 2:21.1.10, but Ubuntu 23.10 has tigervnc 1.12.0+dfsg-8 and xorg-server-source 2:21.1.7-3ubuntu2.6 On a good day I can build a .deb from source, but I am not familiar with debdiffs and it is not clear to me that changing the upstream version (either for mantic or noble) is a casual thing to do. What is the next step to get this fix published ? If all that's necessary is to rebuild tigervnc against a properly patched xorg-xserver-source, this shouldn't be too tricky. The versions of xorg-xserver with the patch fixed can be seen at https://ubuntu.com/security/notices/USN-5986-1. All that would then be necessary is to bump the dependency to require a version of xorg-xserver-source greater than or equal to the corresponding version in each stable release, and bump the dependency to require the newest available version of xorg-server-source or greater in the development release. The tricky part here is following the whole Stable Release Updates process (https://wiki.ubuntu.com/StableReleaseUpdates), which takes at least a week (probably more like a week and a couple of days) and requires lot of effort and testing to make work. If you're interested in helping to fix this hands-on, I'd be happy to assist, but stable release updates are one of the harder parts of Ubuntu development. If you'd prefer, I'd also be happy to just take this bug and work on getting it fixed. Thanks for helping make Ubuntu better! Thanks, -- Aaron Rainbolt Lubuntu Developer Matrix: @arraybolt3:matrix.org IRC: arraybolt3 on irc.libera.chat GitHub: https://github.com/ArrayBolt3 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Help with a debdiff for tigervnc
On 1/21/24 12:05, Andrew C Aitchison wrote: On Sun, 21 Jan 2024, Aaron Rainbolt wrote: On 1/21/24 05:41, Andrew C Aitchison wrote: Debian have fixed a security bug in tigervnc which is in universe, so someone needs to generate a debdiff for the security team to review it and publish the package: https://bugs.launchpad.net/ubuntu/+source/tigervnc/+bug/2048442 Debian have fixed this by building tigervnc 1.13.1 with xorg-server-source = 2:21.1.10, but Ubuntu 23.10 has tigervnc 1.12.0+dfsg-8 and xorg-server-source 2:21.1.7-3ubuntu2.6 On a good day I can build a .deb from source, but I am not familiar with debdiffs and it is not clear to me that changing the upstream version (either for mantic or noble) is a casual thing to do. What is the next step to get this fix published ? If all that's necessary is to rebuild tigervnc against a properly patched xorg-xserver-source, this shouldn't be too tricky. The versions of xorg-xserver with the patch fixed can be seen at https://ubuntu.com/security/notices/USN-5986-1. All that would then be necessary is to bump the dependency to require a version of xorg-xserver-source greater than or equal to the corresponding version in each stable release, and bump the dependency to require the newest available version of xorg-server-source or greater in the development release. The tricky part here is following the whole Stable Release Updates process (https://wiki.ubuntu.com/StableReleaseUpdates), which takes at least a week (probably more like a week and a couple of days) and requires lot of effort and testing to make work. If you're interested in helping to fix this hands-on, I'd be happy to assist, but stable release updates are one of the harder parts of Ubuntu development. If you'd prefer, I'd also be happy to just take this bug and work on getting it fixed. Could you take it please ? I don't have any Ubuntu developer rights. What is the best way to watch or see what you have done ? Just watch the bug report you filed, you'll probably get email notifications about it. I'll assign to myself so I'm less likely to forget. Thanks for letting us know about this! Thanks, -- Aaron Rainbolt Lubuntu Developer Matrix: @arraybolt3:matrix.org IRC: arraybolt3 on irc.libera.chat GitHub: https://github.com/ArrayBolt3 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Help with a debdiff for tigervnc
On Sun, 21 Jan 2024, Aaron Rainbolt wrote: On 1/21/24 05:41, Andrew C Aitchison wrote: Debian have fixed a security bug in tigervnc which is in universe, so someone needs to generate a debdiff for the security team to review it and publish the package: https://bugs.launchpad.net/ubuntu/+source/tigervnc/+bug/2048442 Debian have fixed this by building tigervnc 1.13.1 with xorg-server-source = 2:21.1.10, but Ubuntu 23.10 has tigervnc 1.12.0+dfsg-8 and xorg-server-source 2:21.1.7-3ubuntu2.6 On a good day I can build a .deb from source, but I am not familiar with debdiffs and it is not clear to me that changing the upstream version (either for mantic or noble) is a casual thing to do. What is the next step to get this fix published ? If all that's necessary is to rebuild tigervnc against a properly patched xorg-xserver-source, this shouldn't be too tricky. The versions of xorg-xserver with the patch fixed can be seen at https://ubuntu.com/security/notices/USN-5986-1. All that would then be necessary is to bump the dependency to require a version of xorg-xserver-source greater than or equal to the corresponding version in each stable release, and bump the dependency to require the newest available version of xorg-server-source or greater in the development release. The tricky part here is following the whole Stable Release Updates process (https://wiki.ubuntu.com/StableReleaseUpdates), which takes at least a week (probably more like a week and a couple of days) and requires lot of effort and testing to make work. If you're interested in helping to fix this hands-on, I'd be happy to assist, but stable release updates are one of the harder parts of Ubuntu development. If you'd prefer, I'd also be happy to just take this bug and work on getting it fixed. Could you take it please ? I don't have any Ubuntu developer rights. What is the best way to watch or see what you have done ? Thanks, -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss