diffoscope_240+deb12u1_amd64.changes ACCEPTED into proposed-updates
Debian FTP Masters
ftpmaster at ftp-master.debian.org
Tue Sep 3 17:47:08 BST 2024
Thank you for your contribution to Debian.
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 26 Aug 2024 11:43:37 +0100
Source: diffoscope
Built-For-Profiles: nocheck
Architecture: source
Version: 240+deb12u1
Distribution: stable
Urgency: medium
Maintainer: Reproducible builds folks <reproducible-builds at lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby at debian.org>
Closes: 1078883
Changes:
diffoscope (240+deb12u1) stable; urgency=medium
.
[ Chris Lamb ]
* Backport a patch by FC (Fay) Stegerman to fix a FTBFS caused by a
.zip-related security fix that was included in Debian's own upload of
python3.11 3.11.2-6+deb12u2 (see #1070133). Diffoscope's testsuite
deliberately excercises a Mozilla-style ZIP file that has its Central
Directory secton at the beginning of the file, rather than at the end. This
breaks the new overlap check in Python's built-in zipfile.py library as
that checks that every entry ends before the Central Directory begins. Many
thanks to Fay for both the patch and related guidance. (Closes: #1078883)
* Do not call marshal.loads() on precompiled Python bytecode as it is
inherently unsafe. The loads() method can easily cause the CPython process
running diffoscope to irretrievably crash (e.g. when presented with a newer
.pyc format), and potentially permit of arbitrary code execution. Replace,
for now, with a brief textual summary of the code section of .pyc files
instead. For more information, see:
<https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/371>
Checksums-Sha1:
618824e4657b53c86c5403b724286e8336228ad3 5183 diffoscope_240+deb12u1.dsc
3fc068320bad4c5e4bf98cbd1b8170549cdaa473 2442344 diffoscope_240+deb12u1.tar.xz
c891561479979bc901a4863d2e38c56730b71ee5 7234 diffoscope_240+deb12u1_amd64.buildinfo
Checksums-Sha256:
5107c359ec1637d82e8041160b22054123d21fcf500e9358fdcdac904c8fb1b8 5183 diffoscope_240+deb12u1.dsc
88c102de0011563bac39f8c8a5b19304e926600fd225aa6d5c108e2b0fc16adc 2442344 diffoscope_240+deb12u1.tar.xz
38711632fbf6dd0447c7817000d2bad076fbb48df0ebc167ba38cd92674e0715 7234 diffoscope_240+deb12u1_amd64.buildinfo
Files:
468c71271c19c5e272b3b46827e9d743 5183 devel optional diffoscope_240+deb12u1.dsc
05e75e2b148bfa807f36454b2ec06c24 2442344 devel optional diffoscope_240+deb12u1.tar.xz
cdaf26b8ffe90ba684ae089f881d870e 7234 devel optional diffoscope_240+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmbW1UgACgkQHpU+J9Qx
HliUgxAAhfX9w/UYU4VoZzxtSVxTrP5ZG+rsK+vo9z0aAahQD+dGWbXJniJnl8AM
ahl5D+lshKpkBIDiYiDTXeLY04UjIIBEbQYZKrgjDcmm2L3Kk1/6/PCtYbR3AhrB
jUyH9EKP7PH7w/+aij1BvbvOGmnNXBJzV3MbEQft8w1haE7VvZKRTVaOSoeDE/jr
CKlZzKP6tfZOQyk0Iehur7e/nbxKEx5oE0QDqbu/XkPBS6ztMHzvrWMvsov7i8Jy
HjIeCtvCCYLCeNQXdnKuxc1VLXuimJMJRwrdR/AI+/XN9vCfMsOiXdE0K0joQg8S
1Pn9hXzWeO2bW5uRCN6E9GtFmHUWek9UWdILX0DPGfoiWc5hvZl92pBuHrbLtYn9
lHdqKSut1Eg8szY7skLI1CD6AIriObvEFwXiVJ1fZ088rUf7pQxWHSKPKm3t7btF
sPUPgEVoJ2Y0GygnVxA73/JJIh/9HXVAfEbEWAAo0MzAo62bPTof3zux/6gsRJ22
kD24ilaiRfBL5PssGwl3Qn68sK+95ZvP87pgjnjYsjWEJWFV3xfhlqFEOVtdcp09
eN0oHCXd9CTR996V/qsokvf+5z7uVnpJ6B66vxDu9nzFLEcHbt45yVLGtic2qtkr
rG7HHNEeY2A5vwaHk4+Mcn5edLh11qmlipblbJxYafOTQWZmdHc=
=Ywa4
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-builds/attachments/20240903/d297d4e6/attachment.sig>
More information about the Reproducible-builds
mailing list