[Debian-olpc-devel] please unblock sugar-toolkit

Holger Levsen holger at layer-acht.org
Fri Feb 6 15:18:25 UTC 2009 

Hi,

sugar-toolkit in lenny has two critical issues, which are fixed in sid: a
security issues which allows malicious applications (activties in 
sugar-speak) to delete arbitary files in the users home dir and another
which prevents activities to appear localized.

Sadly the version in sid has other harmless changes cluttering the diff and
those two bugs are also not filed in the BTS. On the plus side, the package
has been in sid since one and a half month:

sugar-toolkit (0.82.11-7) unstable; urgency=medium 
   * Add patch 0000 (and drop patch 0001) to sync with upstream stable
     head:
     + Update urdu (ur), russian (ru) and tyrkish (tr) translations
     + sanity-check bundle root; don't delete install_root on failure
     + Set the correct locale path for system activities

those two ^^^ are the critical ones.

   * Limit watch file to track stable 0.82 branch.
   * Update CDBS snippets:
     + Simplify internal variables
     + Ignore no files by default in copyright-check.mk
     + Correct and update copyright hints of the snippets themselves
   * Update debian/copyright and copyright hints:
     + Add info on CDBS snippets (new owners, no new licenses)
     + Bump to version 420 of new format (no structural changes)
     + Add sugar-devel mailinglist as upstream maintainer.
     + Update upstream source URLs.
     + Refer to LGPL as "GNU Library..." (not Lesser).
     + Refer to "Debian GNU systems" (not only GNU/Linux).
   * Set urgency=medium due to install_root removal fix.

 -- Jonas Smedegaard <dr at jones.dk>  Fri, 19 Dec 2008 17:06:05 +0100


$ debdiff sugar-toolkit_0.82.11-6.dsc sugar-toolkit_0.82.11-7.dsc|diffstat
 debian/patches/0000_upstream_stable_head.patch                 |  455 ++++++++++
 debian/patches/0001_fix_system_activity_locale_path.patch      |   30 
 sugar-toolkit-0.82.11/debian/cdbs/1/class/autotools-vars.mk    |    2 
 sugar-toolkit-0.82.11/debian/cdbs/1/class/makefile.mk          |    2 
 sugar-toolkit-0.82.11/debian/cdbs/1/class/python-vars.mk       |    3 
 sugar-toolkit-0.82.11/debian/cdbs/1/rules/buildinfo.mk         |    2 
 sugar-toolkit-0.82.11/debian/cdbs/1/rules/copyright-check.mk   |    7 
 sugar-toolkit-0.82.11/debian/cdbs/1/rules/package-relations.mk |    2 
 sugar-toolkit-0.82.11/debian/changelog                         |   23 
 sugar-toolkit-0.82.11/debian/copyright                         |  154 +--
 sugar-toolkit-0.82.11/debian/copyright_hints                   |   63 +
 sugar-toolkit-0.82.11/debian/patches/series                    |    2 
 sugar-toolkit-0.82.11/debian/watch                             |    2 
 13 files changed, 637 insertions(+), 110 deletions(-)


If you dont want to unblock this, I'd be happy to do an upload to t-p-u only
adding the 0000-patch and removing 0001.


Thanks,
	Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/debian-olpc-devel/attachments/20090206/df4d18cd/attachment.pgp

More information about the Debian-olpc-devel mailing list