[Pkg-kde-extras] Update of exiv2 in stretch

Maximiliano Curia maxy at gnuservers.com.ar
Thu Jun 28 17:28:31 BST 2018 

¡Hola Roberto!

El 2018-06-28 a las 08:35 -0400, Roberto C. Sánchez escribió:
> I forked your Salsa project but I had difficulty figuring out the proper
> starting point for a branch.  It looks like master contains work for
> both unstable and experimental in it.  I did use a Git repository to do
> my work, but I began with importing exiv2_0.25-3.1.dsc.

You could have used debian/0.25-3.1 as a starting point and a feature specific 
branch for your changes, but I guess that it doesn't really makes much of a 
difference.

> That said, I have exported the indivdual commits as patches and attached
> them to this mail.  You can use 'git apply' on them and it should just
> work, except maybe for the placement of the changelog entry.

I imported these changes in the salsa repo and uploaded 0.25-4, the branch 
debian/stretch-security has your changes with the corresponding version for a 
stretch upload.

> I did want to add two additional notes for your information:

> 1. My changes do not address CVE-2018-11037 (the only remaining open CVE
> against the exiv2 package in Debian), since upstream has not yet fixed
> it.  The issue in GitHub indicates it will be fixed in 0.27.

> 2. I had to make some adjustments to the error handling from the newer
> upstream commits, as they have ported the "enforce" mechanism (similar
> to assert) from D and it seemed to large a change to bring in for a
> security update.  I requested a review of my patch from upstream in
> GitHub (https://github.com/Exiv2/exiv2/issues/302) but have not yet
> received a reply.  After submitting that request for review I did
> patches for the remaining CVEs and encountered enough other erorr
> handling code that I am comfortable with my approach, so I don't think
> it that important that upstream has not yet replied.

Interesting, thanks for the info

> I will leave it up to you integrate my patches, make the upload to
> unstable, and coordinate the remaining transitions and advisory with the
> security team.  You are welcome to use the DLA text I attached to the
> first mail, or to write your own more detailed advisory as you prefer.

Just to be clear, I wasn't trying to take over the stable upload, please go 
ahead with it if you want to.

Happy hacking,
-- 
"Brilliant opportunities are cleverly disguised as insolvable problems."
-- Gardener's Philosophy

"The reverse is also true." -- Corollary
Saludos /\/\ /\ >< `/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-kde-extras/attachments/20180628/b6d2cf25/attachment.sig>

More information about the pkg-kde-extras mailing list