Security fixes for libopenmpt in Debian 9

[James Cowgill]

(+CC multimedia list)

Hi,

On 02/06/17 15:53, Jörn Heusipp wrote:
> Seeing announcements of the upcoming Debian 9 release and the fact that
> libopenmpt in Debian testing is still at version 0.2.7386-beta20.3, we
> (the libopenmpt maintainers) decided to backport all security fixes (and
> only security fixes) to a separate libopenmpt-0.2.7386-beta20.3-secfix
> branch in order to make life easier for you and Debian while maintaining
> libopenmpt in Debian 9 and providing security updates.

Thanks, that really does make things a lot easier!

> Additionally, we from now on provide a release and security announcement
> mailing list at
> https://lists.sourceforge.net/lists/listinfo/modplug-libopenmpt-announce
> . You might want to subscribe there. I forwarded the current
> announcement in this mail.

Ok, I've subscribed to that list.

> The issues in libopenmpt 0.2.7386-beta20.3 should get fixed in Debian 9,
> preferably before the release, but if that is not possible anymore due
> to time constraints, after the release.

About the timing, obviously this is quite late so I can't say for
certain they will make the release. However, serious security issues can
go via the security team at any time (and are available ASAP) and
important issues can go into the first point release (9.1) which will
probably be a few months after the release.

> We (libopenmpt maintainers) would prefer if Debian 9 could get updated
> with the latest libopenmpt 0.2 release in a future Debian 9.x point
> release, in particular because there is a XM/IT/MPTM loading bug in
> 0.2.7386-beta20.3 that limits forward-compatibility with modules saved
> by newer OpenMPT versions, and in order to avoid the need to backport
> individual security patches. The libopenmpt 0.2 branch however receives
> not only security fixes but also minor playback and module loading
> updates (no major playback fixes, no new features, no API/ABI changes
> though). I am not sure if updating to the latest libopenmpt 0.2 version
> in a Debain 9.x point release would be acceptable by Debian policy
> though. If there are any important reasons not to update, we recommend
> that you at least consider backporting the single-line change from r7999
> to 0.2.7386-beta20.3.

I'll have to have a proper look at the changes to see what is likely to
be allowed into a point release, though I think it's unlikely that the
latest 0.2 will be allowed because the stable release team like to see
small diffs and only fixes for individual important bugs. Backpointing
the change from r7999 might be OK though.

> I am not exactly sure as to which email address I should contact about
> the issues, so please forward-to or CC-on-reply appropriate additional
> addresses as you see fit.

I've added the multimedia list.

> If you would prefer me to report a bug in the Debian bug tracking system
> about the security issues and/or the forward-compatibilty issue, I could
> also do that.

This is the best way to flag any issues which need changes. When you
submit a bug it should be CCed to me and the multimedia list
automatically. If you use the "security" tag, it will also be CCed to
the security team as well.

Having said that, if you post it to the new mailing list I'll probably
see it anyway.

Thanks,
James

Link to announcement for reference:
https://lib.openmpt.org/libopenmpt/md_announce-2017-06-02.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20170602/9c5c2cf6/attachment.sig>