Debian Bug report logs - #598655
unblock: otrs2/2.4.8+dfsg1-1

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Patrick Matthäi <pmatthaei@debian.org>

Date: Thu, 30 Sep 2010 20:00:01 UTC

Severity: normal

Done: Luk Claes <luk@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#598655; Package release.debian.org. (Thu, 30 Sep 2010 20:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Patrick Matthäi <pmatthaei@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 30 Sep 2010 20:00:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Patrick Matthäi <pmatthaei@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: otrs2/2.4.8+dfsg1-1
Date: Thu, 30 Sep 2010 21:57:19 +0200
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: freeze-exception


Please unblock package otrs2

It fixes some security relevant bugs and many other upstream bugs, no new
features or something like that.

The package already has been aged and the CVE ids it fixes are CVE-2010-2080
and CVE-2010-3476, they are not mentioned in the changelog, because I have uploaded
the package before I have noticed the cve id/it gets some.

The debdiff is bloated, because of a little fault of upstream, so please use the
patches from:
http://lists.debian.org/debian-release/2010/09/msg01530.html

It is still not the smallest diff, but as you can see in
http://lists.debian.org/debian-release/2010/09/msg01296.html
it fixes *many* bugs.

unblock otrs2/2.4.8+dfsg1-1

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.35-trunk-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#598655; Package release.debian.org. (Fri, 15 Oct 2010 06:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 15 Oct 2010 06:06:03 GMT) Full text and rfc822 format available.

Message #10 received at 598655@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: 598655@bugs.debian.org, Patrick Matthäi <pmatthaei@debian.org>
Subject: Re: unblock: otrs2/2.4.8+dfsg1-1
Date: Fri, 15 Oct 2010 08:02:41 +0200
> Please unblock package otrs2
>
> It fixes some security relevant bugs and many other upstream bugs, no new
> features or something like that.
>
> The package already has been aged and the CVE ids it fixes are
CVE-2010-2080
> and CVE-2010-3476, they are not mentioned in the changelog, because I
have uploaded
> the package before I have noticed the cve id/it gets some.
>
> The debdiff is bloated, because of a little fault of upstream, so
please use the
> patches from:
> http://lists.debian.org/debian-release/2010/09/msg01530.html

What fault are you talking about?

Why is fckeditor included in the package? What changes are there in the
code base of fckeditor and is that still worth not using the fckeditor
already in the archive?

Cheers

Luk




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#598655; Package release.debian.org. (Fri, 15 Oct 2010 07:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to pmatthaei@debian.org:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 15 Oct 2010 07:24:03 GMT) Full text and rfc822 format available.

Message #15 received at 598655@bugs.debian.org (full text, mbox):

From: Patrick Matthäi <pmatthaei@debian.org>
To: Luk Claes <luk@debian.org>, 598655@bugs.debian.org
Subject: Re: Bug#598655: unblock: otrs2/2.4.8+dfsg1-1
Date: Fri, 15 Oct 2010 09:18:17 +0200
[Message part 1 (text/plain, inline)]
Am 15.10.2010 08:02, schrieb Luk Claes:
>> Please unblock package otrs2
>>
>> It fixes some security relevant bugs and many other upstream bugs, no new
>> features or something like that.
>>
>> The package already has been aged and the CVE ids it fixes are
> CVE-2010-2080
>> and CVE-2010-3476, they are not mentioned in the changelog, because I
> have uploaded
>> the package before I have noticed the cve id/it gets some.
>>
>> The debdiff is bloated, because of a little fault of upstream, so
> please use the
>> patches from:
>> http://lists.debian.org/debian-release/2010/09/msg01530.html
>
> What fault are you talking about?

e.g. http://lists.debian.org/debian-release/2010/09/msg01296.html
"I crawled myself through the full diff and found out, that upstream
tried to update the fckeditor, but reverted the change, because it is
not working so well with newer IE and Chrome browsers and the diff
blowed up, because of whitespace changes.."

This produced a diff with > 50k lines or something like this.

I have attached a cleaned up diff of 2.4.7 => 2.4.8:
70 files changed, 1891 insertions(+), 593 deletions(-)

For fixing two CVEs and a big bunch of other errors, it is small :)
Upstream changelog:
http://lists.debian.org/debian-release/2010/09/msg01296.html

>
> Why is fckeditor included in the package? What changes are there in the
> code base of fckeditor and is that still worth not using the fckeditor
> already in the archive?

Yeah that is another building site :/ I already tried to port otrs to 
the fckeditor version of Debian, but without success:
http://packages.debian.org/changelogs/pool/main/o/otrs2/current/changelog#versionversion2.4.5-4

I also patched out libjs-yui from otrs a few weeks ago with the 
consequence, that the dashboard statistics are not useable anymore.. And 
breaking the editor (as you can think a quite important feature) again 
before we release - I think this would be a bad idea.


Much thanks for taking care of otrs!
[otrs.diff.gz (application/gzip, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#598655; Package release.debian.org. (Sat, 16 Oct 2010 09:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 16 Oct 2010 09:54:03 GMT) Full text and rfc822 format available.

Message #20 received at 598655@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: 598655@bugs.debian.org
Subject: Re: Bug#598655: unblock: otrs2/2.4.8+dfsg1-1
Date: Sat, 16 Oct 2010 11:51:27 +0200
>> Why is fckeditor included in the package? What changes are there in the
>> code base of fckeditor and is that still worth not using the fckeditor
>> already in the archive?
>
> Yeah that is another building site :/ I already tried to port otrs to
> the fckeditor version of Debian, but without success:
>
http://packages.debian.org/changelogs/pool/main/o/otrs2/current/changelog#versionversion2.4.5-4
>
> I also patched out libjs-yui from otrs a few weeks ago with the
> consequence, that the dashboard statistics are not useable anymore.. And
> breaking the editor (as you can think a quite important feature) again
> before we release - I think this would be a bad idea.

Right, though knowing what the diff is between the packaged fsckeditor
and the one included in the otrs2 sources is the first (and currently
only) step I want you to take. I want to know what changes there are in
the diff to assess whether it's easy to support security wise or when
there are critical issues with it or not.

After the release it would still be a good idea to try to use the
packaged fsckeditor. That might mean it's best to have upstream's
fsckeditor or otrs2 change so they are more compatible and don't need 2
versions of (about) the same code...

But as said above, knowing what changes there are made by otrs2 upstream
to fsckeditor is the first step. Please do show us that diff, TIA.

Cheers

Luk




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#598655; Package release.debian.org. (Sat, 16 Oct 2010 10:03:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to pmatthaei@debian.org:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 16 Oct 2010 10:03:08 GMT) Full text and rfc822 format available.

Message #25 received at 598655@bugs.debian.org (full text, mbox):

From: Patrick Matthäi <pmatthaei@debian.org>
To: Luk Claes <luk@debian.org>, 598655@bugs.debian.org
Subject: Re: Bug#598655: unblock: otrs2/2.4.8+dfsg1-1
Date: Sat, 16 Oct 2010 10:00:49 +0200
Am 16.10.2010 11:51, schrieb Luk Claes:
>>> Why is fckeditor included in the package? What changes are there in the
>>> code base of fckeditor and is that still worth not using the fckeditor
>>> already in the archive?
>> Yeah that is another building site :/ I already tried to port otrs to
>> the fckeditor version of Debian, but without success:
>>
> http://packages.debian.org/changelogs/pool/main/o/otrs2/current/changelog#versionversion2.4.5-4
>> I also patched out libjs-yui from otrs a few weeks ago with the
>> consequence, that the dashboard statistics are not useable anymore.. And
>> breaking the editor (as you can think a quite important feature) again
>> before we release - I think this would be a bad idea.
> Right, though knowing what the diff is between the packaged fsckeditor
> and the one included in the otrs2 sources is the first (and currently
> only) step I want you to take. I want to know what changes there are in
> the diff to assess whether it's easy to support security wise or when
> there are critical issues with it or not.

If I do not have overseen anything, then the changes to the fsckeditor 
eq zero.
Upstream just tried to update fsckeditor to the latest version for 
2.4.8, but they have encountered many issues with IE and chrome (if I 
remember correctly), they reimported the old version (I have just 
checked in the past this version, no CVE open for this one) and by doing 
this, whitespaces/EOL have been fucked up, that's why the diff is so 
bloated and you need -b for diff :)

> After the release it would still be a good idea to try to use the
> packaged fsckeditor. That might mean it's best to have upstream's
> fsckeditor or otrs2 change so they are more compatible and don't need 2
> versions of (about) the same code...

I fully agree with you. But I think it is a bit late to experiment now 
with it :x

> But as said above, knowing what changes there are made by otrs2 upstream
> to fsckeditor is the first step. Please do show us that diff, TIA.

Do you mean code changes by upstream to the embedded fsckeditor itself? 
There shouldn't be any code changes.

> Cheers
>
> Luk
>
>
>





Reply sent to Luk Claes <luk@debian.org>:
You have taken responsibility. (Sat, 16 Oct 2010 10:18:04 GMT) Full text and rfc822 format available.

Notification sent to Patrick Matthäi <pmatthaei@debian.org>:
Bug acknowledged by developer. (Sat, 16 Oct 2010 10:18:04 GMT) Full text and rfc822 format available.

Message #30 received at 598655-done@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: 598655-done@bugs.debian.org
Subject: Re: Bug#598655: unblock: otrs2/2.4.8+dfsg1-1
Date: Sat, 16 Oct 2010 12:14:02 +0200
On 10/16/2010 10:00 AM, Patrick Matthäi wrote:
> Am 16.10.2010 11:51, schrieb Luk Claes:
>>>> Why is fckeditor included in the package? What changes are there in the
>>>> code base of fckeditor and is that still worth not using the fckeditor
>>>> already in the archive?
>>> Yeah that is another building site :/ I already tried to port otrs to
>>> the fckeditor version of Debian, but without success:
>>>
>> http://packages.debian.org/changelogs/pool/main/o/otrs2/current/changelog#versionversion2.4.5-4
>>
>>> I also patched out libjs-yui from otrs a few weeks ago with the
>>> consequence, that the dashboard statistics are not useable anymore.. And
>>> breaking the editor (as you can think a quite important feature) again
>>> before we release - I think this would be a bad idea.
>> Right, though knowing what the diff is between the packaged fsckeditor
>> and the one included in the otrs2 sources is the first (and currently
>> only) step I want you to take. I want to know what changes there are in
>> the diff to assess whether it's easy to support security wise or when
>> there are critical issues with it or not.
> 
> If I do not have overseen anything, then the changes to the fsckeditor
> eq zero.
> Upstream just tried to update fsckeditor to the latest version for
> 2.4.8, but they have encountered many issues with IE and chrome (if I
> remember correctly), they reimported the old version (I have just
> checked in the past this version, no CVE open for this one) and by doing
> this, whitespaces/EOL have been fucked up, that's why the diff is so
> bloated and you need -b for diff :)
> 
>> After the release it would still be a good idea to try to use the
>> packaged fsckeditor. That might mean it's best to have upstream's
>> fsckeditor or otrs2 change so they are more compatible and don't need 2
>> versions of (about) the same code...
> 
> I fully agree with you. But I think it is a bit late to experiment now
> with it :x

Right, though we should look into it after the release.

>> But as said above, knowing what changes there are made by otrs2 upstream
>> to fsckeditor is the first step. Please do show us that diff, TIA.
> 
> Do you mean code changes by upstream to the embedded fsckeditor itself?
> There shouldn't be any code changes.

Ok, unblocked.

Cheers

Luk




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 14 Nov 2010 07:34:52 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 21:04:56 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.