[Pkg-shadow-devel] Wheezy update of shadow?

Serge E. Hallyn serge at hallyn.com
Sat Jul 30 05:23:02 UTC 2016


On Sun, Jul 24, 2016 at 11:26:46PM +0200, Bálint Réczey wrote:
> (removing LTS list since it is not LTS related)
> 
> Hi Serge & Shadow Maintainters,
> 
> 2016-07-23 22:02 GMT+02:00 Bálint Réczey <balint at balintreczey.hu>:
> > Hi Serge & All,
> >
> > 2016-07-21 16:16 GMT+02:00 Serge E. Hallyn <serge at hallyn.com>:
> >> Quoting Christian PERRIER (bubulle at debian.org):
> >>> Quoting Chris Lamb (lamby at debian.org):
> >>> > Hello dear maintainer(s),
> >>> >
> >>> > the Debian LTS team would like to fix the security issues which are
> >>> > currently open in the Wheezy version of shadow:
> >>> > https://security-tracker.debian.org/tracker/CVE-2016-6251
> >>> > https://security-tracker.debian.org/tracker/CVE-2016-6252
> >>> >
> >>> > Would you like to take care of this yourself?
> >>>
> >>> There is probably zero chances that this happens. I handled over the
> >>> maintenance of shadow to the "team" but the movement is very slow. So
> >>> I suspect that nearly nothing will happen.
> >>>
> >>> As for Nicolas, he is pretty much inactive for years now, so don't
> >>> expect more from his side.
> >>>
> >>>
> >>> So, well, even though I'm not happy to send suuch news, this is more
> >>> or less the reality nowadays.
> >>
> >> Dimitri, are you able to help here?
> >>
> >> I had a candidate package up on mentors for awhile for a new release
> >> (https://mentors.debian.net/debian/pool/main/s/shadow/shadow_4.3-1~b1.dsc).
> >> Would be great if someone would either test that and fix it up / push, or
> >> start over and ditch my work if they prefer.
> >
> > I'll check the package tomorrow, both the new release and an update for Wheezy.
> 
> It seems Serge that you have taken over shadow maintenance and continued
> development on GitHub [1], but the homepage on Alioth does
> not list new releases [2] and also has a lot of outdated information.
> 
> The package on mentors does point to the packaging repo but the repo
> does not have the commits.
> Could you please join the packaging team on alioth and continue
> packagint in the repo there?

Hm.  I joined the alioth team (my thanks to whoever accepted that -
I didn't get an email saying it had been accepted, just happened to
check tonight and it was done :).  My page for the shadow project
though told me to use https://alioth.debian.org/anonscm/git/pkg-shadow/pkg-shadow.git
which didn't yet exist.  So I pushed just the debian/ part of the
tree there, then noticed that debian/control points to 
https://anonscm.debian.org/cgit/pkg-shadow/shadow.git, which is a
copy of the full shadow tree plus debian/.  Now I'm torn
(and tired and therefore indecisive) as to which tree to use.  The
trees are actually identical save debian/, so as long as we use github
for upstream I'd prefer not to have the duplication, hence switch
to just a packaging tree.  But I also don't want to lose the debian/
history.  Thoughts?

-serge



More information about the Pkg-shadow-devel mailing list