Your message dated Sun, 30 Apr 2017 19:31:30 +0200
with message-id <20170430173128.ga13...@ugent.be>
and subject line Re: binNMU in unstable
has caused the Debian Bug report #860429,
regarding unblock:
golang-go.crypto/1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
860429: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860429
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: unblock
Severity: normal
Please unblock package golang-go.crypto
About 18 days ago, a security issue was patched [1] in this package. For reasons
not directly related to the CVE [2], an upload to unstable was done about 9 days
after the relevant security update. I have not yet confirmed the fix is in
unstable (haven't had the time available, yet), but believe it's there.
While the patch itself is relatively simple [3], there is a large delta from
testing and the debdiff is quite substantial (~16,000 lines). Unfortunately, I
agree with the severity and RC status... and this package has a very large
number of reverse build dependencies against it. Adding to the headache, this
change introduces an unavoidable breaking change.
I know the current unstable package needs d/NEWS,chglog updated before an
acceptable debdiff could be presented. I now see other security updates [4]
have been resolved since the version in testing.
This is my first time requesting a freeze exception or trying to handle one at
all and the list of reverse dependencies has me a feeling a little uneasy. If
anyone is interested in mentoring (or taking over), please do!
[1] https://github.com/golang/go/issues/19767
[2] https://security-tracker.debian.org/tracker/CVE-2017-3204
[3]
https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
[4] https://github.com/golang/go/issues?q=label%3ASecurity+is%3Aclosed
[-] https://bugs.debian.org/859655
unblock golang-go.crypto/1:0.0~git20170407.0.55a552f-1
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Hi,
Closing this request, as golang-go.crypto is now in testing, and the other
issues are done or have separate bugs (see below).
On Fri, Apr 28, 2017 at 06:42:34PM -0500, Michael Lustfield wrote:
> I've requested a rebuild of the reverse build dependencies in unstable [1].
This has been handled in #861432.
> I also rebuilt reverse build dependencies against this package update with the
> following results:
>
> testing:
> success: 62, failed: 2 (being addressed)
> unstable
> success: 107, failed: 7 (unchecked)
>
> The first failure in testing was packer (previous comments). Felix contacted
> me
> about restic and is taking care of any issues.
These have RC bugs, so this issues will be handled through those.
It seems packer is the only package in stretch that has 'built-using' for the
old version of golang-go.crypto.
Cheers,
Ivo
--- End Message ---
