svn team mailing list archive

[Max Bowsher <maxb@xxxxxxx>]

On 06/10/10 12:08, Max Bowsher wrote:
> On 06/10/10 09:33, Michael Diers wrote:
>> On 2010-10-05 20:55, Max Bowsher wrote:
>>> On 05/10/10 13:53, Michael Diers wrote:
>>>> Peter Samuelson has submitted Subversion 1.6.12dfsg-2 to Debian
>>>> unstable.
>>>>
>>>> https://launchpad.net/debian/+source/subversion/1.6.12dfsg-2
>>>>
>>>> The package will soon transition to Debian testing and eventually get
>>>> collected in bzr branch lp:debian/squeeze/subversion.
>>>>
>>>> This release primarily addresses CVE-2010-3315. Is anyone (Max?)
>>>> planning to merge this into our Lucid PPA? Otherwise I'll happily do
>>>> that, and also update the other supported branches.
>>>
>>> I'm happy to do so. Or you can. I don't mind. But, it's time for us to
>>> add a Maverick package, so whoever does should include that/
>>
>> Right, I'm still slightly insecure when it comes to applying the tools
>> correctly, so I may have to double-check with this list before actually
>> causing havoc. Unless that's a problem, I'd like to give it a go.
>>
>>>> (And then there's Subversion 1.6.13 out, too.)
>>>
>>> Hmm. Why don't we just jump straight to that? NB that since Debian is in
>>> pre-release freeze, it's entirely likely that Peter will not upload
>>> that. Neither will it make its way into Ubuntu until some time after
>>> Natty Narwhal repositories open for general updates.
>>
>> Peter managed to get an "unblock request" acknowledged for 1.6.12dfsg-2,
>> so that will go into Squeeze by tomorrow. He intends to release 1.6.13
>> to experimental or unstable once this has happened.
>>
>> I'd like to provide 1.6.12dfsg-2 to my existing user base, just for the
>> security fix.
>>
>> After that, sure, let's tackle 1.6.13.
> 
> Awfully conservative user base if they are hesitant to update by a
> micro-release, but OK, if you feel it's warranted, please go ahead.
> 
> In that case I suggest you proceed by merging (and since there is no new
> upstream version nor odd branch divergence, plain old "bzr merge" is
> fine here) 1.6.12dfsg-2 from lp:debian/sid/subversion first into our
> lucid branch, to produce 1.6.12dfsg-2svn1, and thence onwards to karmic,
> jaunty, hardy.
> 
> Let's skip Maverick for this version, to get the minimal security upload
> done for the released distributions.
> 
>>> In which case, are you familiar with bzr-builddeb's 'bzr merge-package'
>>> command? We should definitely use it, it's the de-facto standard for
>>> importing upstream versions into a packaging branch.
>>
>> Sorry, I can't say I am, but I'll have a look.
>>
>>> Documentation may be scarce. I'll see what I can find and/or write a
>>> summary myself.
>>
>> That would be great, thanks in advance.
> 
> And, once we've got 1.6.12dfsg-2svn1 up, I'll tackle merging
> 1.6.12dfsg-1ubuntu1 from Maverick through our stack of packaging
> branches, starting a Maverick branch, and merging 1.6.13 - and try to
> write some useful notes on what I did.

Maverick's released. I'd like to do this soon.

Please let me know if you still intend to bother with 1.6.12dfsg-2.

Max.

Attachment: signature.asc
Description: OpenPGP digital signature