A few small questions

Jonas Smedegaard jonas at jones.dk
Sun Sep 3 18:22:24 BST 2023 

Quoting debian.org at spam.lublink.net (2023-09-03 18:28:48)
> I poked around salsa and found the folder Xpjproject in branch 
> debian/latest, and according to debian/rules, this seems to be  building 
> pjproject-2.12.1.tar.bz2 for the newer releases. This version already 
> has patches for the 3 CVEs.

The source package currently relies on the "component" feature of uscan
(file debian/watch) and git-buildpackage (file debian/gbp.conf).

See `man uscan`, `man gbp-import-orig` and `man dpkg-source` for more
details, where you look for the word "component".


> I tried checking out the git branch buster, and found that the 
> Xpjproject folder doesn't exist and I only found the file 
> pjproject_2.8~dfsg.orig.tar.bz2 ( in debian/ ) .

I guess you are back at some versions that included PJProject in a
different way which I cannot help you understand because I don't really
understand it myself - which is the reason I changed it.

Hopefully others in the team are following along here and can help.
Otherwise I guess you should look for a custom script below debian/ or
perhaps a custom build target in debian/rules that handles PJProject
unpackaging, and extend that...


> How would I produce a patch for this ? Should I decompress the tar.bz2 
> file, patch it, recompress it and then apply the generate a binary patch 
> ?
> 
> I notice there is no git branch for bullseye, is git branching still 
> used?

Git branches is the current style, so yes it is "still used".  I guess
your question really is if it *was* used back then, and I guess the
answer is "not in the same way as now, at least".


> 1:16.2.1~dfsg-1+deb10u2 is the only version of Asterisk that is 
> reportedly still affected by the three CVEs, why do we need to patch 
> this if buster-security contains a fixed version?

I cannot answer such loaded question.

How did you reach the constraint that we "need to patch this"?  Was it
something I wrote somewhere, or...?

If the version in buster is affected, but a version in buster-security
solves the issue, then I see no need for further work for buster.


> If we do need to patch it, where do I post the patch? Git branch?
> 
> What are my next steps here?

Generally you should *not* use git branches for patches.  You should use
quilt - see `man quilt` or try search wiki.debian.org for a nicer intro.

Quilt patches should be placed in debian/patches/ named as described in
debian/patches/README (so that the series file can be regenerated with
the command `ls -1 0* 1* 2* > series` executed from within that
directory).

But if you need to patch PJProject, for a release where PJProject is not
readily available when source package is unpacked, then your next step
is to somehow - alone or with help from others in the team - learn how
to go about that.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20230903/4d638500/attachment.sig>

More information about the Pkg-voip-maintainers mailing list