On Tue, Apr 28, 2026 at 07:06:40AM +0200, Troels Arvin wrote:
Hello,
On 2026-04-28, Athos Ribeiro wrote:
I cannot see it. I wonder why is that. It would be nice to either make
it public or to file a different bug for that.
It's because I was re-building the package based on input I got on
Matrix. I have built a new edition using another versioning scheme
which I hope is better: I now call it mapserver - 7.6.4-2build2.1
because the previous one in Ubuntu is called 7.6.4-2build2.
The updated changelog:
Since you are adding a delta, that string needs to change to include
"ubuntu" in it. Please, read the documentation I provided in my previous
reply.
The new package is available at
https://launchpad.net/~troels-w/+archive/ubuntu/mapserver7/+packages
The updated debdiff is here:
https://troels.arvin.dk/ubuntu/mapserver/mapserver_7.6.4-2build2.1.debdiff
* It would be nice to reference a bug in that changelog entry.
I seems the related Ubuntu bug (2069291) is not generally available.
But I've updated the changelog entry so that it mentions two specific
CVEs which it fixes.
You still want to reference the bug.
* Since this is an update to a stable release, you must make sure that
all supported Ubuntu releases which are newer than the one being
fixed, are already fixed. Is that the case?
Newer Ubuntus have another Mapserver generation (8 instead of 7), so I
have not tried to address that.
If the CVE is present in those, they MUST be fiexed before jammy.
* Since a new delta is being added, the package versioning in
d/changelog must reflect that. meaning you need to add the "ubuntu"
string in the debian revision part of the package version.
Sorry, I don't understand that.
Again, read the documentation provided. I am happy to address any
questions you may have regarding the docs.
* That dep3 header could reflect the fact that the patch comes from the
* upstream project by adjusting the Origin field to say
"Origin: upstream, $URL".
Sorry, I don't understand that, either.
Check https://dep-team.pages.debian.net/deps/dep3/ for examples.
Once you attach your debdiff in the related bug, please subscribe
the ubuntu-sponsors launchpad user to the bug so your patch enters
the Ubuntu sponsoring queue.
OK, I've added ubuntu-sponsors to bug 2069291.
You should also attach the debdiff to that bug.
Are there any sensitive or embargoed information in that bug? If the
CVEs are public now, I suppose the bug does not need to be private.
--
Athos Ribeiro
--
Ubuntu-motu mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
