Hi,

I run reprepro to create a local mirror for lenny, lenny-security and
sid. Since I have it setup to put all 3 into a common pool I noticed
the following:

Lenny:
------
Package: uw-imap
Version: 7:2007b~dfsg-3
Files:
b52118669abf422f766d14e3e2d69daa 1608456 uw-imap_2007b~dfsg.orig.tar.gz

Sid:
----
Package: uw-imap
Version: 8:2007b~dfsg-1
Files:
b52118669abf422f766d14e3e2d69daa 1608456 uw-imap_2007b~dfsg.orig.tar.gz

Lenny-Securiy:
--------------
Package: uw-imap
Version: 7:2007b~dfsg-4+lenny1
13dc7a81451e676f29ed840ba81b79ca 1617554 uw-imap_2007b~dfsg.orig.tar.gz


As you can see Lenny-Security has a different orig.tar.gz than
Lenny/Sid. This creates a problem for my reprepro as it detects a
size/md5sum mismatch, aborts and sends me an angry mail. But more
importantly this prevents the security update from entering Lenny:

20081106164710|process-unchecked|rejected|uw-imap_2007b~dfsg-4+lenny1_amd64.changes

Rejected: md5sum and/or size mismatch on existing copy of uw-imap_2007b~dfsg.orig.tar.gz.
Rejected: can not overwrite existing copy of 'uw-imap_2007b~dfsg.orig.tar.gz' already in the archive.


As it is the vulnerable version of uw-imap will remain in Lenny and
Lenny will have a known security bug that is totaly avoidable. From
the timestamp above you can see that this problem has been around over
a month.

Does anyone care?

MfG
Goswin





--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Ccing maintainer.

Hi,
* Goswin von Brederlow <goswin-v-b@web.de> [2008-12-14 20:14]:
> I run reprepro to create a local mirror for lenny, lenny-security and
> sid. Since I have it setup to put all 3 into a common pool I noticed
> the following:
[...]
> As you can see Lenny-Security has a different orig.tar.gz than
> Lenny/Sid. This creates a problem for my reprepro as it detects a
> size/md5sum mismatch, aborts and sends me an angry mail. But more
> importantly this prevents the security update from entering Lenny:
>
> 20081106164710|process-unchecked|rejected|uw-imap_2007b~dfsg-4+lenny1_amd64.changes
>
> Rejected: md5sum and/or size mismatch on existing copy of uw-imap_2007b~dfsg.orig.tar.gz.
> Rejected: can not overwrite existing copy of 'uw-imap_2007b~dfsg.orig.tar.gz' already in the archive.

This update was unfortunately a bit problematic, to make the
story short uw-imap was uploaded as 7:2007b~dfsg-4 but we
then requested to upload this as -3+lenny1 to mark it as a
security update and to prevent broken updates in case
7:2007d~dfsg-1 gets rejected from NEW (in -3+lenny1 is also
the upstream tarball change).

Unfortunately -3+lenny1 was rejected on klecker because the
orig.tar.gz of the old build was still lying around in the
queue. As we can not use the same version twice on klecker
-4+lenny1 was uploaded as a rebuild of -3+lenny1 and the
upstream tarball change was overlooked in that chaos.

> As it is the vulnerable version of uw-imap will remain in Lenny and
> Lenny will have a known security bug that is totaly avoidable. From
> the timestamp above you can see that this problem has been around over
> a month.
>
> Does anyone care?

Yes.

I see two possibilities here, one option is to get
8:2007b~dfsg-1 unblocked and let this migrate to lenny
(there is some weird SONAME change though) or to reupload a
+lenny2 version to testing-security again.

Opinions?

Cheers
Nico

--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Nico Golde wrote:
> Yes.
> I see two possibilities here, one option is to get
> 8:2007b~dfsg-1 unblocked and let this migrate to lenny
> (there is some weird SONAME change though) or to reupload a
> +lenny2 version to testing-security again.
>
Yuck!
> Opinions?
>
7:2007b~dfsg-4+lenny2 sounds better, IMHO

Let's keep epochs for the occassions where real versioning goofups do
happen :-)



Cheers,

J.L.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

José Luis Tallón <jltallon@adv-solutions.net> writes:

> Nico Golde wrote:
>> Yes.
>> I see two possibilities here, one option is to get
>> 8:2007b~dfsg-1 unblocked and let this migrate to lenny
>> (there is some weird SONAME change though) or to reupload a
>> +lenny2 version to testing-security again.
>>
> Yuck!
>> Opinions?
>>
> 7:2007b~dfsg-4+lenny2 sounds better, IMHO
>
> Let's keep epochs for the occassions where real versioning goofups do
> happen :-)
>
>
>
> Cheers,
>
> J.L.

If the tarball has changed then how about a 7:2007b~dfsg2-<whatever>?
That way the filename will differ and no conflict will arise.

MfG
Goswin


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Goswin von Brederlow wrote:

If the tarball has changed then how about a 7:2007b~dfsg2-<whatever>?
That way the filename will differ and no conflict will arise.

I am a bit surprised that a security update requires modifications to
the upstream tar ball.


I would speculate this was a mistake, and the best approach would be to
rebuild the security update with the correct tar ball.


Otherwise, if the changes to the tar ball where deliberate, change the
filename as above.


--
Brian May <brian@microcomaustralia.com.au>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org