Ubuntu
openafs package

  1. Bug #1145560
  2. Comment #14

Comment 14 for bug 1145560

Revision history for this message
Luke Faraone (lfaraone) wrote : Re: [Bug 1145560] Re: OpenAFS Security Advisories 2013-001 and 2013-002

Jamie,

Thanks for your review.

On Fri, Mar 08, 2013 at 10:43:51PM -0000, Jamie Strandboge wrote:
> Thanks for your patches! Unfortunately, I can't process them at this time due to the following:
> - the oneiric debdiff does not use the format as prescribed by https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging
> - the precise debdiff does not use the format as prescribed by https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging
> - the quantal debdiff does not use the format as prescribed by https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging
> - the oneiric debdiff patches debian/patches/debian-changes. This is a source format v3 (quilt) package so the security updates should be in their own patches. When redoing this patch, be sure to include DEP-3 comments (the information that would have been in these is missing from debian/changelog)
> - the precise debdiff patches debian/patches/debian-changes. This is a source format v3 (quilt) package so the security updates should be in their own patches. When redoing this patch, be sure to include DEP-3 comments (the information that would have been in these is missing from debian/changelog)
> - the quantal debdiff patches the files inline which it is a source format v3 (quilt) package. When redoing this patch, be sure to include DEP-3 comments (the information that would have been in these is missing from debian/changelog)

I'll address these concerns in a reupload.

> - the oneiric debdiff has the wrong version-- it should be 1.6.0-1ubuntu0.1
> - the quantal debdiff does not use the correct version. It should be 1.6.1-2ubuntu2.1
> - the precise debdiff has the wrong version-- it should have been 1.6.1-1ubuntu0.2 with precise-proposed as 1.6.1-1ubuntu0.1, but precise-proposed' version of 1.6.1-1+ubuntu0.1 was mistakenly accepted. Unfortunately, if we are basing on the precise-proposed package, we have to use 1.6.1-1+ubuntu0.2

I'll increment the precise version, but it wasn't mistakingly accepted, see below:

In <https://bugs.launchpad.net/ubuntu/+source/openafs/+bug/356861/comments/1>, ~broder wrote:
> Be careful choosing version numbers for this. The normal mechanism for
> an Ubuntu security version number will result in kernel modules with a
> lower version than the current modules.

> - the precise debdiff is based on a package in precise-proposed. This should be based on what is currently in -security or -updates (see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging)

I had previously gotten approval to base off of what is in -proposed. In
any case, -proposed will move to -updates on Monday.

> The Lucid package is patchless, so the inline patches are fine. The
> debdiff didn't have the correct debian/changelog formatting, but I
> adjusted it. It would have been nice to have commit URLs (ie, what would
> have been in the DEP-3 comments), but I've uploaded it after verify the
> commits against upstream.
>
> Unsubscribing ubuntu-security-sponsors for now. Please resubscribe after
> updating the oneiric-quantal debdiffs. Thanks!

Thanks,

Luke