[Pkg-electronics-devel] Bug#1060407: gtkwave update for {bookworm, bullseye, buster}-security

Emilio Pozuelo Monfort pochu at debian.org
Thu Apr 4 10:21:21 BST 2024 

On 29/03/2024 00:06, Adrian Bunk wrote:
> Hi,
> 
> attached are proposed debdiffs for updating gtkwave to 3.3.118 in
> {bookworm,bullseye,buster}-security for review for a DSA
> (and as preview for buster).
> 
> General notes:
> 
> As suggested by the security team in #1060407, this is a backport of a
> new upstream version to fix the 82 CVEs.
> 
> I checked a handful CVEs, and they were also present in buster.
> If anyone insists that I check for every single CVE whether it is also
> in buster I can do that, but that would be a lot of work.
> 
> As already mentioned in #1060407, the ghwdump tool (and manpage) was
> dropped in 3.3.110 from the upstream sources, and is now in ghdl-tools.
> For bullseye and buster it is therefore readded.
> 
> As mentioned in #1060407 there are different tarballs for GTK 2 and GTK 3.
> Looking closer I realized that this is actually one tarball that
> supports GTK 1+2, and one tarball that supports GTK 2+3.
> I did stay at the GTK 1+2 tarball that was already used before
> for bullseye and buster since there was anyway a different upstream
> tarball required for the +really version that is required to avoid
> creating file conflicts with ghwdump when upgrading to bookworm.
> 
> What does the security team consider the best versioning for bullseye?
> In #1060407 I suggested 3.3.104+really3.3.118-0.1, but now I ended up
> preferring 3.3.104+really3.3.118-0+deb11u1

I saw this earlier but I couldn't think of a better versioning scheme, though 
this looked awkward. Now I have thought of a (possibly) better one, so I'm 
stating it here in case we find ourselves in a similar situation in the future 
and someone remembers this thread.

I would have gone with

   3.3.118-0.1~deb12u1
   3.3.118+gtk2-0+deb11u1
   3.3.118+gtk2-0+deb10u1

Similar to how we do +dfsg or +repack. The +really is usually used for going 
back without adding an epoch, but here we're going forward, so perhaps such a 
naming would have made more sense. It also makes it clearer why there's a 
different tarball.

Cheers,
Emilio

More information about the Pkg-electronics-devel mailing list