[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Jailkit-dev] Little issue about jailkit in Debian (urgent)
|
From: |
Eriberto |
|
Subject: |
Re: [Jailkit-dev] Little issue about jailkit in Debian (urgent) |
|
Date: |
Fri, 16 Jul 2021 01:10:00 -0300 |
Dear Olivier,
Debian is a project focused on security. In the hard freeze stage is
not usual to upload new upstream releases, even not hurting the main
rules in policy. Uploads in hard freeze must be essential to program
health, not minor fixes. In your new release you have an important
security fix and a minor security fix. To upload this new release, I
will need:
- Drop all patches[1] because they were partially applied by you. I
say partially because you changed the manpage jailkit from level 8 to
level 7 in its name, but in the .TH line it remains 8. Consequently...
- I will need to create a new patch to fix the level of jailkit.
- I also will need change debian/rules to install the manpage using
the new name (jailkit.7)
[1] https://sources.debian.org/src/jailkit/2.21-3/debian/patches/
>From Debian Lintian:
E: jailkit: odd-place-for-manual-page usr/share/man/man8/jailkit.7.gz
W: jailkit: wrong-manual-section usr/share/man/man7/jailkit.7.gz:1 7 != 8
W: jailkit: wrong-manual-section usr/share/man/man8/jailkit.7.gz:1 7 != 8
I: jailkit: spare-manual-page usr/share/man/man8/jailkit.7.gz
Via debdiff I can see changes in other files, such as py/jk_lib.py,
src/jk_lsh.c and src/jk_socketd.c. It is another problem to get an ok
from the Release Team. The main goal in hard freeze is not to make
changes to observe the behavior of the system to be released. The
Release Team do not accept any change in packages just because it does
not hurt the freeze policy.
I will go ahead asking for an unblock for a new upload fixing
jk_update (Debian bug #991075). Don't worry. When Debian 11 was
released, I will send jailkit 2.22 to untable and to stable-backports,
making it available for all users og the stable, via Backports[2].
Currently, jailkit is already available in BPO (stable-backports)[3].
[2] https://backports.debian.org/
[3] https://tracker.debian.org/pkg/jailkit
Thanks a lot for your work and quick reply.
Cheers,
Eriberto
Em qui., 15 de jul. de 2021 às 14:49, Olivier Sessink
<olivier@bluefish.openoffice.nl> escreveu:
>
> That website makes the requirements clear:
>
> ----------------
> In most cases, it's not appropriate to upload a new upstream release at
> this point. New upstream release usually contain unrelated changes,
> which might be inappropriate or make review much more difficult.
> Uploading a new upstream release is only appropriate when the resulting
> debdiff doesn't contain changes that wouldn't be in the debdiff of a
> targeted change. When in doubt, ask for pre-approval before uploading a
> new upstream release.
>
> Some examples of changes that are undesirable during a freeze:
>
> bumping the debhelper compat level
> switching to a different packaging helper
> adding or dropping a systemd unit or an init script
> adding, removing or renaming binary packages
> adding or removing support for a language (version)
> moving files between binary packages
> changing relations (depends, conflicts, ...) between packages
> changes that affect other packages
> dropping a -dbg package in favour of -dbgsym
> rearranging code, 'cleanups', etc
> ----------------
>
> all of these are not the case. There is two security related bug fixes
> and a version bump. That is all the difference between 2.21 and 2.22. So
> I would say that it meets the requirements.
>
> Olivier
>
>
>
> On 15-07-2021 17:15, Eriberto wrote:
> > Hi Olivier,
> >
> > Thanks a lot for your quick reply.
> >
> > Em qui., 15 de jul. de 2021 às 05:09, Olivier Sessink
> > <olivier@bluefish.openoffice.nl> escreveu:
> >>
> >> Hi Eriberto,
> >>
> >> yes it is secure to change only those two lines.
> >>
> >> however, the only other change in 2.22 is in jk_lsh.c
> >> https://cvs.savannah.nongnu.org/viewvc/jailkit/jailkit/src/jk_lsh.c?r1=1.36&r2=1.37&sortby=log
> >> which is also a (minor) security update (it improves security logging).
> >>
> >> I don't know what the policy for a frozen Debian is, but 2.22 is
> >> functional identical to 2.21 with only security improvements. So isn't
> >> it safer to use 2.22 ? There is no chance there could be any
> >> incompatibility between 2.21 and 2.22 because there are no changes
> >> besides security.
> >>
> >> Olivier
> >
> > The frozen policy[1] doesn't allow uploading new upstream (mainstream)
> > releases at this time. Consequently, today, I will re-upload 2.21 with
> > a patch to fix jk_update.
> >
> > [1] https://release.debian.org/bullseye/freeze_policy.html
> >
> > Cheers,
> >
> > Eriberto
> >
>
>
> --
> Bluefish website http://bluefish.openoffice.nl/
> Blog http://oli4444.wordpress.com/