Pkg xen devel - Sep 2018 - Bug#907835: newer version in stable

Source: xen
Version: 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9
Severity: serious

The version of the Xen packages in unstable and buster is lower than
the one in Debian stretch. That seems highly irregular and will
obviously break upgrades to buster.

The reason this is marked as "serious" is because I consider this a
"severe violation of Debian policy". This would be section 3 of the
Debian policy, although it curiously does not explicitely state that
versions between different suites should be incrementing.

I still consider this a release critical bug and that new upstream
packages should first be uploaded to unstable, unless there is a
security issue (which is the case here) in which case they should be
simultaneously uploaded to both suites.

Thanks,

A.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental'), (1,
'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.17.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Antoine Beaupre writes ("[Pkg-xen-devel] Bug#907835: newer version in
stable"):
> Source: xen
> Version: 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9
> Severity: serious
> 
> The version of the Xen packages in unstable and buster is lower than
> the one in Debian stretch. That seems highly irregular and will
> obviously break upgrades to buster.
> 
> The reason this is marked as "serious" is because I consider this
a
> "severe violation of Debian policy". This would be section 3 of
the
> Debian policy, although it curiously does not explicitely state that
> versions between different suites should be incrementing.
I agree that this is an RC bug.  Fixing it by removing the packages
from buster wouldn't help, though.
> I still consider this a release critical bug and that new upstream
> packages should first be uploaded to unstable, unless there is a
> security issue (which is the case here) in which case they should be
> simultaneously uploaded to both suites.
The 4.8-based security updates have not been going to sid/buster for
rather obscure reasons.  We have packages for 4.11 in preparation, so
hopefully this will become irrelevant soon.

Ian.

-- 
Ian Jackson <ijackson at chiark.greenend.org.uk>   These opinions are my
own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

On 2018-09-05 12:36:54, Ian Jackson wrote:

[...]
> I agree that this is an RC bug.  Fixing it by removing the packages
> from buster wouldn't help, though.
Agreed. Removal is obviously an unwanted side-effect... :)

[...]
> The 4.8-based security updates have not been going to sid/buster for
> rather obscure reasons.  We have packages for 4.11 in preparation, so
> hopefully this will become irrelevant soon.
Excellent, thanks for the prompt response.

A.

-- 
Non qui parum habet, sed qui plus cupit, pauper est.
It is not the man who has too little, but the man who craves more,
that is poor.            - Lucius Annaeus Seneca (65 AD)

On 2018-09-05 12:36:54, Ian Jackson wrote:
> The 4.8-based security updates have not been going to sid/buster for
> rather obscure reasons.  We have packages for 4.11 in preparation, so
> hopefully this will become irrelevant soon.
It's been two weeks and stable still has a newer version than unstable,
which suffers from four security issues fixed in stable.

I understand you might have other plans in the long term, but in the
meantime, why not just upload deb9u10 to unstable?

a.

-- 
Instead of worrying about what somebody else is going to do, which is
not under your control, the important thing is, what are you going to
decide about what is under your control?
                         - Richard Stallman

Antoine Beaupré writes ("Re: [Pkg-xen-devel] Bug#907835: newer version in
stable"):
> It's been two weeks and stable still has a newer version than unstable,
> which suffers from four security issues fixed in stable.
> 
> I understand you might have other plans in the long term, but in the
> meantime, why not just upload deb9u10 to unstable?
I went to do this but sadly, it no longer builds due to gcc8.  There
are upstream patches that could be cherry-picked but it's certainly no
longer simply a matter of importing the security update.

I am going to look at these failures since they are blocking my
package refactoring work and I expect that as an output I will produce
a list of upstream commits to cherry pick, which I will send to this
bug.

Ian.

-- 
Ian Jackson <ijackson at chiark.greenend.org.uk>   These opinions are my
own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Your message dated Wed, 24 Oct 2018 13:43:34 +0200
with message-id <a24a6553-a959-907e-09ca-e4be83a1dee3 at knorrie.org>
and subject line Re: Bug#907835: newer version in stable
has caused the Debian Bug report #907835,
regarding newer version in stable
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
907835: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907835
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Antoine Beaupre <anarcat at debian.org>
Subject: newer version in stable
Date: Sun, 02 Sep 2018 16:06:14 -0400
Size: 2795
URL:
<http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20181024/e7c560c6/attachment.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: Hans van Kranenburg <hans at knorrie.org>
Subject: Re: Bug#907835: newer version in stable
Date: Wed, 24 Oct 2018 13:43:34 +0200
Size: 6259
URL:
<http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20181024/e7c560c6/attachment-0001.mht>

On 2018-10-24 13:43:34, Hans van Kranenburg wrote:
> Control: fixed 907835 4.11.1~pre.20180911.5acdd26fdc+dfsg-5
>
> On 9/26/18 4:22 PM, Ian Jackson wrote:
>> Antoine Beaupré writes ("Re: [Pkg-xen-devel] Bug#907835: newer
version in stable"):
>>> It's been two weeks and stable still has a newer version than
unstable,
>>> which suffers from four security issues fixed in stable.
>>>
>>> I understand you might have other plans in the long term, but in
the
>>> meantime, why not just upload deb9u10 to unstable?
>> 
>> I went to do this but sadly, it no longer builds due to gcc8.  There
>> are upstream patches that could be cherry-picked but it's certainly
no
>> longer simply a matter of importing the security update.
>> 
>> I am going to look at these failures since they are blocking my
>> package refactoring work and I expect that as an output I will produce
>> a list of upstream commits to cherry pick, which I will send to this
>> bug.
>
> Xen 4.11 has now transitioned to testing! \o/
>
> So, the weird situation has been resolved.
Great! Thanks everyone! :)

a.

-- 
During times of universal deceit, telling the truth becomes a
revolutionary act.       - Georges Orwell