[SRU] update check-all-the-things to xenial

Bug #1597245 reported by Gianfranco Costamagna
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
check-all-the-things (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Gianfranco Costamagna

Bug Description

[Impact]

 * Anything else you think is useful to include
 * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
 * and address these questions in advance
Per upstream request
[11:21:17] <pabs> mapreri, LocutusOfBorg: cats uploaded to sid (fixes security issues too)
[11:22:51] <LocutusOfBorg> can be syncd in yakkety?
[11:24:14] <pabs> yes, I moved the clang-modernize thing to a jessie overlay
[11:24:24] <pabs> and the php dep got fixed
[11:25:23] <pabs> LocutusOfBorg: if possible, I would like it removed from xenial or synced there. the security issues are fairly important
[11:25:59] <pabs> the perl one is easy to fix via a patch but the other one is more involved

[Test Case]

* no known exploits

[Regression Potential]

* none, used only by developers, and just a few of them, it just runs other tools

description: updated
Changed in check-all-the-things (Ubuntu):
status: New → Fix Released
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

lets sru instead

summary: - update check-all-the-things to xenial
+ [SRU] update check-all-the-things to xenial
description: updated
Changed in check-all-the-things (Ubuntu Xenial):
status: New → Fix Committed
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

in unapproved queue, and yakkety is migrating in a few hours

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

Hi security team, I got a nack from -release, can you please followup with this one?
thanks

Revision history for this message
Seth Arnold (seth-arnold) wrote :

What's the intended action here? backporting 2016.06.29.1 to Xenial? Or applying specific patches to Xenial's package? Thanks

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

Backporting the new version, but as SRU, not in -backports pocket.
Isolating single patches is not feasible, per upstream suggestion

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

ping @Seth Arnold :)

Changed in check-all-the-things (Ubuntu Xenial):
status: Fix Committed → New
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hi LocutusOfBorg, please prepare a diff against one of the newer packages that we can use for the 16.04 LTS upload and report back the testing that was done for the update. We're not in a position to be able to prepare updates for arbitrary universe packages.

Thanks

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

I prepared 2016.06.29.1 for xenial, and while installing it I discovered I was already using it since... one year or so, so I tested it a *lot* on a lot of packages already :)

sudo dpkg -i ../check-all-the-things_2016.06.29.1~16.04.1_all.deb
dpkg: warning: downgrading check-all-the-things from 2016.06.29.1~ubuntu16.04.1 to 2016.06.29.1~16.04.1
(Reading database ... 550594 files and directories currently installed.)
Preparing to unpack .../check-all-the-things_2016.06.29.1~16.04.1_all.deb ...
Unpacking check-all-the-things (2016.06.29.1~16.04.1) over (2016.06.29.1~ubuntu16.04.1) ...
Setting up check-all-the-things (2016.06.29.1~16.04.1) ...
Processing triggers for man-db (2.7.5-1) ...

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Well, that's a diff alright :) I have to admit I was hoping to instead get "download zesty's package then apply this diff that adds a changelog message and fiddles <blah> to get it to build on xenial".

Is the diff in #8 really the 'best' way to an update? I had trouble making heads or tails of the changes it introduced.

Thanks

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

@Seth, is it ok to have for xenial a version higher than the yakkety one?
I have provided the "safest" and "smallest" debdiff possible, because of the security issue.

That said, I have no problems in uploading even the artful one, the package is used only by Ubuntu and Debian devs, and it has just some new checks and nothing more.

I also tested the artful version, and works correctly.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hi LocutusOfBorg, the version numbers do need to remain increasing from release to release; otherwise upgrades from one release to the next can fail.

That can complicate wholesale updates like this, as the version numbers will be more lies than correct, but a number like:

2015.12.10ubuntu3-2017.05.20

would do the job. It -is- ugly though.

Thanks

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

I prefer something like this instead
"2015.12.10ubuntu3.is.2017.05.20"

debdiff attached against xenial version

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

debdiff against artful version

Changed in check-all-the-things (Ubuntu Xenial):
status: New → In Progress
assignee: nobody → LocutusOfBorg (costamagnagianfranco)
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (11.2 KiB)

This bug was fixed in the package check-all-the-things - 2015.12.10ubuntu3.is.2017.05.20

---------------
check-all-the-things (2015.12.10ubuntu3.is.2017.05.20) xenial-security; urgency=medium

   * SRU to Ubuntu 16.04, from Ubuntu artful,
     fixing security issues (LP: #1597245)

check-all-the-things (2017.05.20) unstable; urgency=medium

  * New release.
    - The "Check Things Securely Yet Again" release
    - Support BSD versions of the find command
    - Support running in more types of terminals/places
    - Support running commands in other dirs for safety
    - Support properly disabling flags/checks
    - Disable remarks about already disabled checks
    - Update documentation, TODO items and URLs
    - Print remarks more nicely in certain situations
    - Print filenames and line numbers where possible
    - Flag checks:
      + dangerous - rpmlint ocaml-lintian
      + run-in-tmp-dir - luacheck puppet-lint epubcheck erl-tidy
      + fixme-silent - flawfinder gettext-lint-* luacheck hlint
      + network - cme-check-dpkg
      + manual - gettext-lint-spell
    - Fix complexity - prevent arbitrary code execution
    - Fix perlcritic - disable code execution, only run when perl present,
                       increase verbosity to be more useful
    - Fix clang-tidy regression from version 2016.06.29
    - Fix zzuf - incorrect path matches
    - Fix yamllint - incorrect find argument grouping
    - Fix ELF & Perl checks - add MIME types
    - Fix grep checks - use short options for portability
    - Fix xapian-check - crash due to use of format strings
    - Fix uudecode - include filenames in command-line
    - Fix insecure-recv-keys - typo in regex
    - Fix appstreamcli - unknown command-line option
    - Fix m64-m32 - reduce false positives
    - Fix gettext-lint-spell - add missing dependency, drop *.pot
    - Fix afl - check it is installed properly
    - Fix embed-dirs - add inc/ dirs for Perl packages
    - Add podchecker - check Perl POD documentation
    - Add pscan - check C printf format strings
    - Add leaktracer - check programs for memory leaks
    - Add tmperamental - check programs for tmpfile issues
    - Add govet - report suspicious Go source code
    - Add golint - report Go source code lint
    - Add goimports - check missing/unused Go import lines
    - Add rubocop - check Ruby code against Ruby Style Guide
    - Add roodi - check Ruby code for design issues
    - Add gendarme - check Mono/.NET ECMA CIL files
    - Add make-phony - find misspelled .PHONY targets
    - Add mypy - check Python static typing hints
    - Add pyroma - check Python packaging quality
    - Add bandit - check Python security quality
    - Add dodgy - check dodgy lines in Python code
    - Add vulture - check for dead Python code
    - Add pycodestyle - check Python code style
    - Add pydocstyle - check Python documentation style
    - Add proselint - check for English prose issues
    - Add chktex - check typographic errors in LaTeX docs
    - Add fitscheck/wcslint/volint - FITS/VOTable files
    - Add putty-private-key & openssh-private-key-rsa1
    - Remove ghc-mod - just a wrapper for hlint
    - TODO items for wtf flake8-plugi...

Changed in check-all-the-things (Ubuntu Xenial):
status: In Progress → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi, I went ahead and sponsored this, after testing briefly on my own.

I note that zesty has 2017.01.15; does that version also contain the afore-mentioned security issues?

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

Yes it should contain all the fixes!

Thanksfor fixing

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Bug attachments