[Pkg-shadow-devel] Wheezy update of shadow?

Serge E. Hallyn serge at hallyn.com
Sat Jul 30 05:25:26 UTC 2016 

On Sat, Jul 30, 2016 at 12:23:02AM -0500, Serge E. Hallyn wrote:
> On Sun, Jul 24, 2016 at 11:26:46PM +0200, Bálint Réczey wrote:
> > (removing LTS list since it is not LTS related)
> > 
> > Hi Serge & Shadow Maintainters,
> > 
> > 2016-07-23 22:02 GMT+02:00 Bálint Réczey <balint at balintreczey.hu>:
> > > Hi Serge & All,
> > >
> > > 2016-07-21 16:16 GMT+02:00 Serge E. Hallyn <serge at hallyn.com>:
> > >> Quoting Christian PERRIER (bubulle at debian.org):
> > >>> Quoting Chris Lamb (lamby at debian.org):
> > >>> > Hello dear maintainer(s),
> > >>> >
> > >>> > the Debian LTS team would like to fix the security issues which are
> > >>> > currently open in the Wheezy version of shadow:
> > >>> > https://security-tracker.debian.org/tracker/CVE-2016-6251
> > >>> > https://security-tracker.debian.org/tracker/CVE-2016-6252
> > >>> >
> > >>> > Would you like to take care of this yourself?
> > >>>
> > >>> There is probably zero chances that this happens. I handled over the
> > >>> maintenance of shadow to the "team" but the movement is very slow. So
> > >>> I suspect that nearly nothing will happen.
> > >>>
> > >>> As for Nicolas, he is pretty much inactive for years now, so don't
> > >>> expect more from his side.
> > >>>
> > >>>
> > >>> So, well, even though I'm not happy to send suuch news, this is more
> > >>> or less the reality nowadays.
> > >>
> > >> Dimitri, are you able to help here?
> > >>
> > >> I had a candidate package up on mentors for awhile for a new release
> > >> (https://mentors.debian.net/debian/pool/main/s/shadow/shadow_4.3-1~b1.dsc).
> > >> Would be great if someone would either test that and fix it up / push, or
> > >> start over and ditch my work if they prefer.
> > >
> > > I'll check the package tomorrow, both the new release and an update for Wheezy.
> > 
> > It seems Serge that you have taken over shadow maintenance and continued
> > development on GitHub [1], but the homepage on Alioth does
> > not list new releases [2] and also has a lot of outdated information.
> > 
> > The package on mentors does point to the packaging repo but the repo
> > does not have the commits.
> > Could you please join the packaging team on alioth and continue
> > packagint in the repo there?
> 
> Hm.  I joined the alioth team (my thanks to whoever accepted that -
> I didn't get an email saying it had been accepted, just happened to
> check tonight and it was done :).  My page for the shadow project
> though told me to use https://alioth.debian.org/anonscm/git/pkg-shadow/pkg-shadow.git
> which didn't yet exist.  So I pushed just the debian/ part of the
> tree there, then noticed that debian/control points to 
> https://anonscm.debian.org/cgit/pkg-shadow/shadow.git, which is a
> copy of the full shadow tree plus debian/.  Now I'm torn
> (and tired and therefore indecisive) as to which tree to use.  The
> trees are actually identical save debian/, so as long as we use github
> for upstream I'd prefer not to have the duplication, hence switch
> to just a packaging tree.  But I also don't want to lose the debian/
> history.  Thoughts?

Oh, looking more closely, the old packaging tree has a completely
different history from the github one, with commits doing merges from
upstream.

More information about the Pkg-shadow-devel mailing list