[SRU] update check-all-the-things to xenial

lets sru instead

in unapproved queue, and yakkety is migrating in a few hours

Hi security team, I got a nack from -release, can you please followup with this one?
thanks

What's the intended action here? backporting 2016.06.29.1 to Xenial? Or applying specific patches to Xenial's package? Thanks

Backporting the new version, but as SRU, not in -backports pocket.
Isolating single patches is not feasible, per upstream suggestion

ping @Seth Arnold :)

Hi LocutusOfBorg, please prepare a diff against one of the newer packages that we can use for the 16.04 LTS upload and report back the testing that was done for the update. We're not in a position to be able to prepare updates for arbitrary universe packages.

Thanks

I prepared 2016.06.29.1 for xenial, and while installing it I discovered I was already using it since... one year or so, so I tested it a *lot* on a lot of packages already :)

sudo dpkg -i ../check-all-the-things_2016.06.29.1~16.04.1_all.deb
dpkg: warning: downgrading check-all-the-things from 2016.06.29.1~ubuntu16.04.1 to 2016.06.29.1~16.04.1
(Reading database ... 550594 files and directories currently installed.)
Preparing to unpack .../check-all-the-things_2016.06.29.1~16.04.1_all.deb ...
Unpacking check-all-the-things (2016.06.29.1~16.04.1) over (2016.06.29.1~ubuntu16.04.1) ...
Setting up check-all-the-things (2016.06.29.1~16.04.1) ...
Processing triggers for man-db (2.7.5-1) ...

Well, that's a diff alright :) I have to admit I was hoping to instead get "download zesty's package then apply this diff that adds a changelog message and fiddles <blah> to get it to build on xenial".

Is the diff in #8 really the 'best' way to an update? I had trouble making heads or tails of the changes it introduced.

Thanks

@Seth, is it ok to have for xenial a version higher than the yakkety one?
I have provided the "safest" and "smallest" debdiff possible, because of the security issue.

That said, I have no problems in uploading even the artful one, the package is used only by Ubuntu and Debian devs, and it has just some new checks and nothing more.

I also tested the artful version, and works correctly.

Hi LocutusOfBorg, the version numbers do need to remain increasing from release to release; otherwise upgrades from one release to the next can fail.

That can complicate wholesale updates like this, as the version numbers will be more lies than correct, but a number like:

2015.12.10ubuntu3-2017.05.20

would do the job. It -is- ugly though.

Thanks

I prefer something like this instead
"2015.12.10ubuntu3.is.2017.05.20"

debdiff attached against xenial version

debdiff against artful version

This bug was fixed in the package check-all-the-things - 2015.12.10ubuntu3.is.2017.05.20

---------------
check-all-the-things (2015.12.10ubuntu3.is.2017.05.20) xenial-security; urgency=medium

   * SRU to Ubuntu 16.04, from Ubuntu artful,
     fixing security issues (LP: #1597245)

check-all-the-things (2017.05.20) unstable; urgency=medium

  * New release.
    - The "Check Things Securely Yet Again" release
    - Support BSD versions of the find command
    - Support running in more types of terminals/places
    - Support running commands in other dirs for safety
    - Support properly disabling flags/checks
    - Disable remarks about already disabled checks
    - Update documentation, TODO items and URLs
    - Print remarks more nicely in certain situations
    - Print filenames and line numbers where possible
    - Flag checks:
      + dangerous - rpmlint ocaml-lintian
      + run-in-tmp-dir - luacheck puppet-lint epubcheck erl-tidy
      + fixme-silent - flawfinder gettext-lint-* luacheck hlint
      + network - cme-check-dpkg
      + manual - gettext-lint-spell
    - Fix complexity - prevent arbitrary code execution
    - Fix perlcritic - disable code execution, only run when perl present,
                       increase verbosity to be more useful
    - Fix clang-tidy regression from version 2016.06.29
    - Fix zzuf - incorrect path matches
    - Fix yamllint - incorrect find argument grouping
    - Fix ELF & Perl checks - add MIME types
    - Fix grep checks - use short options for portability
    - Fix xapian-check - crash due to use of format strings
    - Fix uudecode - include filenames in command-line
    - Fix insecure-recv-keys - typo in regex
    - Fix appstreamcli - unknown command-line option
    - Fix m64-m32 - reduce false positives
    - Fix gettext-lint-spell - add missing dependency, drop *.pot
    - Fix afl - check it is installed properly
    - Fix embed-dirs - add inc/ dirs for Perl packages
    - Add podchecker - check Perl POD documentation
    - Add pscan - check C printf format strings
    - Add leaktracer - check programs for memory leaks
    - Add tmperamental - check programs for tmpfile issues
    - Add govet - report suspicious Go source code
    - Add golint - report Go source code lint
    - Add goimports - check missing/unused Go import lines
    - Add rubocop - check Ruby code against Ruby Style Guide
    - Add roodi - check Ruby code for design issues
    - Add gendarme - check Mono/.NET ECMA CIL files
    - Add make-phony - find misspelled .PHONY targets
    - Add mypy - check Python static typing hints
    - Add pyroma - check Python packaging quality
    - Add bandit - check Python security quality
    - Add dodgy - check dodgy lines in Python code
    - Add vulture - check for dead Python code
    - Add pycodestyle - check Python code style
    - Add pydocstyle - check Python documentation style
    - Add proselint - check for English prose issues
    - Add chktex - check typographic errors in LaTeX docs
    - Add fitscheck/wcslint/volint - FITS/VOTable files
    - Add putty-private-key & openssh-private-key-rsa1
    - Remove ghc-mod - just a wrapper for hlint
    - TODO items for wtf flake8-plugi...

Hi, I went ahead and sponsored this, after testing briefly on my own.

I note that zesty has 2017.01.15; does that version also contain the afore-mentioned security issues?

Yes it should contain all the fixes!

Thanksfor fixing