[Santuario] bug-fix for xml-security-c

Etienne Dysli-Metref etienne.dysli-metref at switch.ch
Wed Sep 6 07:41:35 UTC 2017

Hi Andrés,

Thank you very much for taking the time to report and fix this bug! :)
I'm not the official Debian maintainer for xml-security-c (just a small
contributor) so I might be wrong on some accounts, but I'll try to
answer your questions anyway.

On 05/09/17 17:24, Andres Sanchez Mendivelso wrote:
> I hope this is the proper way to report a bug in one of the packages
> you're maintaining on Ubuntu 14.04. We found an issue on the
> XSECSafeBuffer compilation unit, in the Santuario project
> (xml-security-c package).

Well this is Debian here, not Ubuntu... We package xml-security-c for
Debian releases and don't have much control over what Canonical (the
company) does with them for Ubuntu releases.

Bugs against Debian packages should be reported to bugs.debian.org as is
described on https://www.debian.org/Bugs/Reporting. If you also report
it upstream that's even better.

> The fix has already been applied over the project's upstream, after we
> contacted one of the developers. You can see the comment over
> here: https://github.com/apache/santuario-cpp/pull/2.
> You may find attached to this message a patch file with the fix. 

This is where I'm not sure about the "Debian way" to proceed... Usually
patches against unreleased software (in this case, the next version of
xml-security-c which would include this change) are not applied against
the currently released Debian package (i.e. the one in stable) unless
it's a security fix (and then there is likely a new version released
from upstream). What I suppose will happen here is that we're going to
wait until Scott Cantor releases a new version of xml-security-c, then
we'll package it for Debian testing. From then on, it can be backported
to Debian stable and may find its way into an upcoming Ubuntu release.

I hope this answers yours questions and I'm sorry to say it's probably
going to be a slow process. If this bug is causing you problems on
Debian stable or testing, please report it on bugs.debian.org
(referencing the upstream fix) so it is not forgotten.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shibboleth-devel/attachments/20170906/153c8e06/attachment.sig>

More information about the Pkg-shibboleth-devel mailing list