The d/changelog in, for example, jammy, hints that this is a straight backport from plucky. The first 3 entries have:
google-osconfig-agent (20240926.03-0ubuntu1~22.04.0) jammy; urgency=medium * No change rebuild for Jammy. -- Chloé 'kajiya' Smith <[email protected]> Wed, 06 Nov 2024 11:54:47 +0000 google-osconfig-agent (20240926.03-0ubuntu1) plucky; urgency=medium * New upstream version for upstream tag 20240926.03. (LP: #2084496) * Golang revendoring. * Add new debian/source/include-binaries entries. -- Chloé 'kajiya' Smith <[email protected]> Mon, 14 Oct 2024 19:14:20 +0100 google-osconfig-agent (20240524.03-0ubuntu2~22.04.0) jammy; urgency=medium * Rebuild for Jammy. - Bump golang version to 1.22. - Revert the addition of d/p/0002-Edit-TestAptRepositories-for-signed-repos.patch. -- Chloé 'kajiya' Smith <[email protected]> Tue, 06 Aug 2024 22:52:48 +0100 So it's like 20240926.03-0ubuntu1 was taken as-is from plucky, and rebuilt on jammy. That doesn't seem to be the case, because if I diff this upload against plucky, there are way more differences than just d/changelog: $ git diff queue/jammy/unapproved/325567c pkg/ubuntu/devel|diffstat b/debian/changelog | 53 -------- b/debian/control | 2 b/debian/patches/0002-Edit-TestAptRepositories-for-signed-repos.patch | 29 ++++ b/debian/patches/series | 1 b/debian/rules | 9 - debian/extra/vendor/google.golang.org/protobuf/0001-protojson-configurable-recursion-limit-when-unmarsha.patch | 243 ---------------------------------------- debian/extra/vendor/patches-applied/README.txt | 1 debian/extra/vendor/patches-applied/protobuf-CVE-2024-24786.patch | 73 ------------ 8 files changed, 31 insertions(+), 380 deletions(-) The diff related to the previous upload in jammy is fine (bar the missing no-change rebuild which is the last upload in jammy, but since it's just a rebuild, and this sru will definitely rebuild the package, that's ok). There is also a d/control change not declared in d/changelog, but since it's just in the uploaders field, and doesn't impact the build of the package, it's not a blocker. Unless you didn't mean to change that: --- a/debian/control +++ b/debian/control @@ -1,6 +1,6 @@ Source: google-osconfig-agent Maintainer: Ubuntu Developers <[email protected]> -Uploaders: Balint Reczey <[email protected]> +Uploaders: Utkarsh Gupta <[email protected]> Section: devel Testsuite: autopkgtest-pkg-go Priority: optional In the end, it's difficult to follow the history of this package. The changelog is all over the place: jammy -> oracular -> jammy -> plucky -> jammy again. That is the "normal" case for backports, but this doesn't look like a straight backport. Anyway, I won't block on it, but we should chat about how these uploads are prepared, so it's better understood for the next one, and the review can be quicker. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-24786 ** Changed in: google-osconfig-agent (Ubuntu Oracular) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2084496 Title: Please update to 20240926.03 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/google-osconfig-agent/+bug/2084496/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
