On Mon, Dec 18, 2006 at 04:39:49PM +0100, Andreas Barth wrote:
* Andreas Barth ([EMAIL PROTECTED]) [061216 22:20]:
I'll update this as soon as we have more information (and I would also
like to check the symbol lists before an upload - I'm working on this
right now).
Ok, more updates: The
On Tue, Dec 19, 2006 at 08:57:12AM +0100, Andreas Barth wrote:
* Steve Langasek ([EMAIL PROTECTED]) [061219 08:27]:
On Sun, Dec 17, 2006 at 08:13:05AM +1100, Aníbal Monsalve Salazar wrote:
Just for the record. The libpng security issues were communicated
to the security team twice on Nov 9 and 15
* Steve Langasek ([EMAIL PROTECTED]) [061219 09:31]:
On Mon, Dec 18, 2006 at 04:39:49PM +0100, Andreas Barth wrote:
7 X+ ++
These may or may not be a problem depending on whether the ABI has changed
between the versions exported in 1.2.8 and 1.2.13/15. We should probably
look at
* Andreas Barth ([EMAIL PROTECTED]) [061219 10:11]:
* Steve Langasek ([EMAIL PROTECTED]) [061219 09:31]:
On Mon, Dec 18, 2006 at 04:39:49PM +0100, Andreas Barth wrote:
2 X+
These are the only two symbols that would potentially be a reason to prefer
.13 over .15.
Agreed.
* Steve Langasek ([EMAIL PROTECTED]) [061219 09:31]:
On Mon, Dec 18, 2006 at 04:39:49PM +0100, Andreas Barth wrote:
1 X++
There are an issue for shlibs only. (Assuming they're meant to be exported
and shouldn't be suppressed to keep people from using them!)
This is
On Tue, Dec 19, 2006 at 10:16:11AM +0100, Andreas Barth wrote:
* Andreas Barth ([EMAIL PROTECTED]) [061219 10:11]:
* Steve Langasek ([EMAIL PROTECTED]) [061219 09:31]:
On Mon, Dec 18, 2006 at 04:39:49PM +0100, Andreas Barth wrote:
2 X+
These are the only two symbols that would
* Andreas Barth ([EMAIL PROTECTED]) [061219 10:11]:
* Steve Langasek ([EMAIL PROTECTED]) [061219 09:31]:
On Mon, Dec 18, 2006 at 04:39:49PM +0100, Andreas Barth wrote:
7 X+ ++
These may or may not be a problem depending on whether the ABI has changed
between the versions
* Aníbal Monsalve Salazar ([EMAIL PROTECTED]) [061219 10:40]:
Should I prepare a 1.2.15 debian package with the shlibs and the
png.h changes?
Please wait a few more moments, I think we also need to massively create
conflicts with sarge packages. I'm running a check currently.
Cheers,
Andi
--
On Tue, Dec 19, 2006 at 10:10:29AM +0100, Andreas Barth wrote:
* Steve Langasek ([EMAIL PROTECTED]) [061219 09:31]:
On Mon, Dec 18, 2006 at 04:39:49PM +0100, Andreas Barth wrote:
7 X+ ++
These may or may not be a problem depending on whether the ABI has changed
between the
* Steve Langasek ([EMAIL PROTECTED]) [061219 09:31]:
On Mon, Dec 18, 2006 at 04:39:49PM +0100, Andreas Barth wrote:
125 X+
I would say these aren't a problem either, at least to such an extent that
we would want to revert them; they've been gone from unstable since
September 2005 without
Hi,
I write down what I think we should do, and how this handles our issues.
This is explicitly a request for comments, and I want to wait at least
until either Steve and Joss have both agreed to it, or 24 hours has
passed, whatever is earlier.
So, what needs to be done:
1. Adding back
On Tue, Dec 19, 2006 at 10:58:13AM +0100, Andreas Barth wrote:
Checking testing
found in pool/main/a/amsn/amsn_0.95+dfsg2-0.1_i386.deb:
/usr/lib/amsn/utils/TkCximage/TkCximage.so
found in pool/main/d/drscheme/drscheme_352-6_i386.deb:
Le mardi 19 décembre 2006 à 11:32 +0100, Andreas Barth a écrit :
1. Adding back png_read_destroy and png_write_destroy which were
accidentially removed between 1.2.13-4 and 1.2.15~beta5-0.
2. Conflict with the following packages (from sarge):
libtk-img (= 1.3-13)
mzscheme (= 209-5)
On Tue, Dec 19, 2006 at 11:43:40AM +0100, Josselin Mouette wrote:
However this is not going to help with other upstream changes that
haven't received any testing. I don't think using a release that has not
been tested in Debian for at least several months is reasonable; I don't
trust upstream
On Tue, Dec 19, 2006 at 11:32:06AM +0100, Andreas Barth wrote:
I write down what I think we should do, and how this handles our issues.
This is explicitly a request for comments, and I want to wait at least
until either Steve and Joss have both agreed to it, or 24 hours has
passed, whatever is
* Steve Langasek ([EMAIL PROTECTED]) [061219 12:07]:
On Tue, Dec 19, 2006 at 11:32:06AM +0100, Andreas Barth wrote:
I write down what I think we should do, and how this handles our issues.
This is explicitly a request for comments, and I want to wait at least
until either Steve and Joss
Hi Aníbal,
I think we have now a common conclusion:
* Andreas Barth ([EMAIL PROTECTED]) [061219 11:32]:
1. Adding back png_read_destroy and png_write_destroy which were
accidentially removed between 1.2.13-4 and 1.2.15~beta5-0.
2. Conflict with the following packages (from sarge):
mzscheme
On Tue, Dec 19, 2006 at 12:21:32PM +0100, Andreas Barth wrote:
* Steve Langasek ([EMAIL PROTECTED]) [061219 12:07]:
On Tue, Dec 19, 2006 at 11:32:06AM +0100, Andreas Barth wrote:
I write down what I think we should do, and how this handles our issues.
This is explicitly a request for comments, and
* Andreas Barth ([EMAIL PROTECTED]) [061219 14:11]:
Hi Aníbal,
I think we have now a common conclusion:
* Andreas Barth ([EMAIL PROTECTED]) [061219 11:32]:
1. Adding back png_read_destroy and png_write_destroy which were
accidentially removed between 1.2.13-4 and 1.2.15~beta5-0.
2.
On Tue, Dec 19, 2006 at 07:40:46PM +1100, Aníbal Monsalve Salazar wrote:
JFTR, I also don't seem to have this mail now.
I'm attaching the email I sent.
Ok, thanks. There doesn't seem to be anything in there that needs RM
comment at this point, 1.2.13 is in testing and we're going with 1.2.15
Le lundi 18 décembre 2006 à 16:39 +0100, Andreas Barth a écrit :
* Andreas Barth ([EMAIL PROTECTED]) [061216 22:20]:
I'll update this as soon as we have more information (and I would also
like to check the symbol lists before an upload - I'm working on this
right now).
Ok, more updates:
Hi!
It looks like that we will get libpng 1.2.8 back to Etch, right?
But one of my packages (optipng) needs at least libpng 1.2.9 (it needs
png_get_uint_32 and png_save_uint_32).
When version 1.2.8 gets uploaded, probably optipng will FTBFS and I will
upload a new version statically linked
On Mon, Dec 18, 2006 at 04:19:51PM -0200, Nelson A. de Oliveira [EMAIL
PROTECTED] wrote:
Hi!
It looks like that we will get libpng 1.2.8 back to Etch, right?
But one of my packages (optipng) needs at least libpng 1.2.9 (it needs
png_get_uint_32 and png_save_uint_32).
When version 1.2.8
Hi!
On 12/18/06, Mike Hommey [EMAIL PROTECTED] wrote:
Do you have a better idea than statically linking against libpng?
Add png_get_uint_32 and png_save_uint_32 to optipng and link against
libpng 1.2.8 ?
Actually they are present on libpng 1.2.8 (but they are exported only
if PNG_INTERNAL
Le lundi 18 décembre 2006 à 17:12 -0200, Nelson A. de Oliveira a écrit :
Hi!
On 12/18/06, Mike Hommey [EMAIL PROTECTED] wrote:
Do you have a better idea than statically linking against libpng?
Add png_get_uint_32 and png_save_uint_32 to optipng and link against
libpng 1.2.8 ?
* Nelson A. de Oliveira ([EMAIL PROTECTED]) [061218 19:27]:
Do you have a better idea than statically linking against libpng?
We will need to work out what is best overall - whatever that is. We
will keep optipng's situation in mind on that, thanks for your mail.
Cheers,
Andi
--
On Sun, Dec 17, 2006 at 08:13:05AM +1100, Aníbal Monsalve Salazar wrote:
Just for the record. The libpng security issues were communicated
to the security team twice on Nov 9 and 15 2006. On Nov 15 2006
both vorlon and aba were made aware of the security problems.
Well no, I'm not aware of
* Steve Langasek ([EMAIL PROTECTED]) [061219 08:27]:
On Sun, Dec 17, 2006 at 08:13:05AM +1100, Aníbal Monsalve Salazar wrote:
Just for the record. The libpng security issues were communicated
to the security team twice on Nov 9 and 15 2006. On Nov 15 2006
both vorlon and aba were made aware
* Josselin Mouette ([EMAIL PROTECTED]) [061215 13:46]:
The only sane solution if you want to get quickly to a releaseable state
is to go back to the last 1.2.8 package and to backport security fixes.
I've also explained more long-term solutions for the libpng madness on
my planet posting.
On Sat, Dec 16, 2006 at 14:57:19 +0100, Andreas Barth wrote:
* Josselin Mouette ([EMAIL PROTECTED]) [061215 13:46]:
The only sane solution if you want to get quickly to a releaseable state
is to go back to the last 1.2.8 package and to backport security fixes.
I've also explained more
Mike Hommey [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], Sam Hocevar [EMAIL PROTECTED]
On Sat, Dec 16, 2006 at 09:45:05PM +0100, Julien Cristau wrote:
On Sat, Dec 16, 2006 at 14:57:19 +0100, Andreas Barth wrote:
Anibal, do you want to upload the package, or should I NMU it?
I'll upload it. I'll
* Julien Cristau ([EMAIL PROTECTED]) [061216 21:45]:
I've prepared a package based on 1.2.8rel-7, with a patch for
CVE-2006-5793. No other security issues seem to be mentioned in the sid
package's changelog, but let me know if I've missed something.
Source package at
Le jeudi 14 décembre 2006 à 23:19 -0800, Steve Langasek a écrit :
Unfortunately, 1.2.8 is not the version of libpng in testing today; 1.2.13
is, and that version has *known* RC bugs.
Moreover, there has now been a shlibs bump in this beta version (warranted
or not, I don't know) that blocks
Josselin Mouette wrote:
The only sane solution if you want to get quickly to a releaseable state
is to go back to the last 1.2.8 package and to backport security fixes.
I've also explained more long-term solutions for the libpng madness on
my planet posting.
I agree. Especially, as the
On Fri, Dec 15, 2006 at 07:01:20PM +0100, Moritz Muehlenhoff [EMAIL
PROTECTED] wrote:
Josselin Mouette wrote:
The only sane solution if you want to get quickly to a releaseable state
is to go back to the last 1.2.8 package and to backport security fixes.
I've also explained more long-term
On Fri, Dec 15, 2006 at 10:23:11PM +0100, Mike Hommey wrote:
On Fri, Dec 15, 2006 at 07:01:20PM +0100, Moritz Muehlenhoff [EMAIL
PROTECTED] wrote:
Josselin Mouette wrote:
The only sane solution if you want to get quickly to a releaseable state
is to go back to the last 1.2.8 package and
On Tue, Dec 12, 2006 at 02:13:36PM +0100, Josselin Mouette wrote:
As I'm no longer the maintainer, I don't have any say to what happens to
this package, but my advice, based on my painful experience with libpng,
would be to *not* unblock it now. Releasing with a beta version that
hasn't been
Hello RMs,
Please unblock libpng 1.2.15~beta5-0.
Upstream provided this beta version of libpng to fix RC bug #401044.
It also fixes two other RC bugs, #401423 and #401465.
Changes:
libpng (1.2.15~beta5-0) unstable; urgency=high
.
* New upstream release.
- Fixed asm API functions
Hi,
As I'm no longer the maintainer, I don't have any say to what happens to
this package, but my advice, based on my painful experience with libpng,
would be to *not* unblock it now. Releasing with a beta version that
hasn't been widely tested is a dead end. Even without the beta flag,
there
39 matches
Mail list logo