Thanks for the bug report with detailed tracks for releases and debdiff!
Tracks:
I think tracks that don't need the fix should be in 'Invalid' and not
"Won't Fix", since it's not like they had to be fixed but will not.
Impact:
Apparently if your reorder these lines it'd be clearer?
from
1) A method from cryptographic_utils was deprecated and replaced.
2) We are cherry-picking ... to address the unnecessary logging...
3) It also deprecates the usage ...
to
1) A method from cryptographic_utils was deprecated and replaced.
3) It also deprecates the usage ...
2) We are cherry-picking ... to address the unnecessary logging...
since 2 looks like the solution to the problem, and 3 is symptoms.
Also, it is important to highlight the need for the py3-crypto from
cloud archive to reproduce the problem in the Impact session.
(It's currently low profile in the middle of a long sentence in
Test Plan).
Where Problems Could Occur:
I'm not sure I followed why exactly the Build-Depends: are related
since the python code is loaded at runtime (so Depends: are used),
if you could clarify please.
> The impact is low as this fixes a deprecated 3rd party library.
I guess it fixes the _usage_ of a deprecated method from other lib?
It'd be nice if we could confirm that the new code (int.from_bytes)
is not only available in python-cryptography in the ubuntu archive
(old version, not the new version in UCA), but also and does not
have bugs that need additional fixes from py-crypto upstream.
(since we'd be switching implementations, let's make sure the new
implementation is equivalent and/or has all fixes needed).
...
Debdiffs:
- changelog: needs LP: #number, and (nitpicking) further indent '-'
under '*' is usual (not strictly required)
- dep3:
- Origin: typo in "Origin, upstream: <url>" ("Origin: upstream, <url>")
- Origin: URL is OK, but prefer shorter/commit "https://github.com/mitya57/secretstorage/commit/<id>"
(we can get to the PR from the commit message or the LP bug number)
- Bug-Ubuntu: URL is OK, but prefer shorter "https://bugs.launchpad.net/bugs/<number>"
Hi Heather,
Thanks for the bug report with detailed tracks for releases and debdiff!
Tracks:
I think tracks that don't need the fix should be in 'Invalid' and not
"Won't Fix", since it's not like they had to be fixed but will not.
Impact:
Apparently if your reorder these lines it'd be clearer?
from
1) A method from cryptographic_utils was deprecated and replaced.
2) We are cherry-picking ... to address the unnecessary logging...
3) It also deprecates the usage ...
to
1) A method from cryptographic_utils was deprecated and replaced.
3) It also deprecates the usage ...
2) We are cherry-picking ... to address the unnecessary logging...
since 2 looks like the solution to the problem, and 3 is symptoms.
Also, it is important to highlight the need for the py3-crypto from
cloud archive to reproduce the problem in the Impact session.
(It's currently low profile in the middle of a long sentence in
Test Plan).
Where Problems Could Occur:
I'm not sure I followed why exactly the Build-Depends: are related
since the python code is loaded at runtime (so Depends: are used),
if you could clarify please.
> The impact is low as this fixes a deprecated 3rd party library.
I guess it fixes the _usage_ of a deprecated method from other lib?
It'd be nice if we could confirm that the new code (int.from_bytes)
is not only available in python-cryptography in the ubuntu archive
(old version, not the new version in UCA), but also and does not
have bugs that need additional fixes from py-crypto upstream.
(since we'd be switching implementations, let's make sure the new
implementation is equivalent and/or has all fixes needed).
...
Debdiffs:
- changelog: needs LP: #number, and (nitpicking) further indent '-'
under '*' is usual (not strictly required)
- dep3: /github. com/mitya57/ secretstorage/ commit/<id>" /bugs.launchpad .net/bugs/<number>"
- Origin: typo in "Origin, upstream: <url>" ("Origin: upstream, <url>")
- Origin: URL is OK, but prefer shorter/commit "https:/
(we can get to the PR from the commit message or the LP bug number)
- Bug-Ubuntu: URL is OK, but prefer shorter "https:/
Thanks!