[Secure-testing-team] Re: summary of what's blocking security fixes from testing

Steve Langasek vorlon at debian.org
Wed Sep 14 06:28:20 UTC 2005 

On Tue, Sep 13, 2005 at 11:45:52PM -0400, Joey Hess wrote:
> Another pass over security holes that are fixed in unstable but not
> testing. Not sure if these are still useful to send to -release.

Yes, I think they are.

> Testing team summary: well, of these asterisk, inkscape, some kde stuff,
> lm-sensors, mysql-dfsg-4.1, and texmacs seem like the most likely
> candidates for upload to secure-testing, although some of the holes may
> not warrant a DTSA.

FWIW, inkscape is in the libsigc++-2.0/libgc transition that's currently
at the top of my hit list.

> apache
> 	m68k build needs requeued once deps are met
> fftw3
> 	m68k FTBFS
> netpbm
> 	8/10 days old
> 	FTBFS on m68k (ICE)
> rpm
> 	FTBFS m68k (ICE)

I'm forcing these in spite of the lack of m68k builds.  Between ICEs and
general sluggishness, m68k is not keeping up.  I know the m68k porters
are talking about putting new buildds on-line, but there are also a lot
of KDE uploads coming that are going to bog it down further, and lots of 
m68k-specific toolchain problems that still need to be fixed.  If we
don't see improvement soon, I think the necessary next step is to ignore
it for all packages (i.e., exclude it from the list of release
candidates for the time being).

> mysql-dfsg-4.1
> 	26 days old
> 	rc bug
> 	FTBFS on m68k

And no build log for the m68k failure to let people usefully debug it...

The RC bug was apparently meant to be downgraded, and the maintainer
missed.  Downgrading now, and forcing in without m68k.

> bzip
> 	8/10 days old
> chmlib
> 	3/10 days old
> courier
> 	too young
> gxine
> 	too young
> squid
> 	too young
> sqwebmail
> 	too young

Feel free to add urgent hints for any of these.

> clamav (fixed in secure-testing)
> 	33 days old
> 	blocked by gmp
> kismet (fixed in secure-testing)
> 	23 days old
> 	blocked by gmp

This mainly means "blocked by kaffe", I think.

> kdeedu
> 	FTBFS on arm (ICE)
> 	missing hppa and m68k builds

Those will almost certainly be all the same ICE, actually.

> lm-sensors
> 	23 days old
> 	indirectly blocked by perl
> net-snmp
> 	too young
> 	blocked by perl

<grumble>

> mozilla (partially fixed in secure-testing)
> 	41 days old, AKA, is this package being maintained?
> 	rc bugs, FTBDS, etc

I'll NMU this if no one else does, but it'll probably take me a day or
two to get to it.

> mozilla-firefox (partially fixed in secure-testing)
> 	too young

More that arm hasn't finished building it yet.

> mozilla-thunderbird
> 	41 days old
> 	FTBFS on alpha, arm, m68k

... with a patch in the BTS, if someone wants to NMU...

> ntp
> 	177 days old
> 	3 RC bugs, max 98 days old, none with responses from maintainers
> 	recommend removal from testing (and/or debian)

Are these different security bugs than the ones already fixed via
proposed-updates?

> openmotif
> 	106 days old
> 	non-free package, still missing s390 build
> 	(I tried and failed to build this on raptor, machine is too
> 	unstable.)

This package really doesn't appear to have the necessary baseline
support from porters and/or the maintainer to let us keep it around.
There's a total of one package in testing still depending on openmotif;
I think we should give the arb maintainer a shot at fixing it, and then
drop it from testing if he doesn't get anywhere.

> openssh
> 	frozen, rc bug
> 	security hole is minor (CAN-2005-2666)

Pushed in.  (The RC bug was reported against the version in stable, and
should not be a blocker.)

> php4 (fixed in secure-testing)
> 	needs requeue on m68k once deps are satisfied

Already in dep-wait.  The version in unstable is stuck for a while, but
the sarge security update is waiting in t-p-u for m68k to catch up.

> python2.1
> 	alpha build succeeded 2 weeks ago but gone missing
> 	mips, mipsel, powerpc builds ditto
> 	blocked by gmp
> python2.2
> 	FTBFS m68k (ICE)
> 	FTBFS hppa
> 	blocked by gmp

No hope that we can get rid of these yet...?

> xorg-x11
> 	too young
> 	build needs retried on arm

Currently listed as building on tofee.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050913/dc2b7a49/attachment.pgp

More information about the Secure-testing-team mailing list