Guido G nther: Debian work in May
May was the first month I started to contribute to Debian LTS under the
Freexian umbrella. In total I spent six hours working on:
- dulwich: research on CVE-2015-0838, CVE-2014-9706. This resulted in DLA-231-1.
- mercurial: research on CVE-2014-9462, CVE-2014-9390 with Javi Merino. This resulted in DLA-237-1.
- mongodb: research on CVE-2015-1609. It turned out that we're not affected, the code did the check correctly in earlier versions but lost it then.
- Find a package to work on via https://security-tracker.debian.org/tracker/status/release/oldoldstable
- Look at the details, via the security tracker, e.g. https://security-tracker.debian.org/tracker/source-package/mercurial
- Get the sources
#!/bin/sh -e PKG="$1" gbp import-dscs --debsnap "$ PKG " cd "$ PKG " git checkout -b debian/squeeze-lts debian/$(rmadison -s squeeze -a amd64 "$ PKG " awk '/squeeze/ print $3 ' sed -s -e 's/:/%/' -e 's/~/_/') gbp pq import
- git-pbuilder now knows about LTS so it can create chroots like:
DIST=squeeze-lts git-pbuilder create
- gbp buildpackage is now clever enough to figure out the distribution
to build for from the current branch name if you adhere to DEP14. So in
case you're building from a git branch named debian/squeeze-lts it will
automatically pass DIST=squeeze-lts to git-pbuilder. This needs
in gbp.conf.[buildpackge] dist=DEP14
- gbp pq now tries harder to preserve patch names. While having patch names adhere to what git am writes out is nice but renaming patches just leads to too much noise when importing and exporting from existing packages (#761161). gbp pq still needs to improve in preserving DEP-3 header information though (#785274).