[Pkg-varnish-devel] Bug#728989: Bug#728989: Bug#728989: Bug#728989: varnish: CVE-2013-4484

Stig Sandbeck Mathisen ssm at debian.org
Mon Dec 9 09:12:01 UTC 2013 

Salvatore Bonaccorso <carnil at debian.org> writes:

> Thanks! Could you please upload them to security-master (needs to be
> built with -sa as it's the first upload for varnish for both
> squeeze-security and wheezy-security).

It will be done.

> Btw, I would have prefered for review if the patch could be applied
> separately via debian/patches/series (I think also Stable Release
> Managers would prefer that way when it will hit pu-NEW ;-)).
>
> The debdiff for squeeze-security does not apply cleanly here on top of
> 2.1.3-8, due to same changes removed as added; but the diff part for
> #728989 for debian-changes-2.1.3-8+deb6u1 looks good.

Handling upstream changes in git, either directly on the packaging
branch or as a patch branch used by debian/source/git-changes, helps
keep this package maintainer sane.

However, I see that it makes the package much harder to review when
looking at debdiffs to verify changes.

Is there anything else I can do to help review changes, when uploading
new changes to *-security?

For example:

* Adding links to the packaging repository:

  Packaging changes for the 2.1.3-8+deb6u1 release in the repository is:

  http://anonscm.debian.org/gitweb/?p=pkg-varnish/pkg-varnish.git;a=patch;h=c610c398ee802cf83a2bd7bcd91ac3614b3a08b3;hp=2660cfd2b8871766545e8dc6b5676e352dadf94b

  (or, with HTML markup)
  http://anonscm.debian.org/gitweb/?p=pkg-varnish/pkg-varnish.git;a=commitdiff;h=c610c398ee802cf83a2bd7bcd91ac3614b3a08b3;hp=2660cfd2b8871766545e8dc6b5676e352dadf94b

* Attaching the output of tag differences from the packaging repository:

    "git log -p debian/2.1.3-8...debian/2.1.3-8+deb6u1"

as a patch instead of, or in addition to, the .dsc debdiff (example
patch attached)?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: varnish_2.1.3-8_to_2.1.3-8+deb6u1.diff
Type: text/x-diff
Size: 3683 bytes
Desc: diff between varnish 2.1.3-8 and 2.1.3-8+deb6u1
URL: <http://lists.alioth.debian.org/pipermail/pkg-varnish-devel/attachments/20131209/d38f26d5/attachment.diff>
-------------- next part --------------

-- 
Stig Sandbeck Mathisen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-varnish-devel/attachments/20131209/d38f26d5/attachment.sig>

More information about the Pkg-varnish-devel mailing list