Debian Bug report logs - #679041
transition: wireshark

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: balint@balintreczey.hu

Date: Mon, 25 Jun 2012 22:15:04 UTC

Severity: normal

Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#679041; Package release.debian.org. (Mon, 25 Jun 2012 22:15:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to balint@balintreczey.hu:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 25 Jun 2012 22:15:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bálint Réczey <balint@balintreczey.hu>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: Eloy Paris <peloy@chapus.net>
Subject: transition: wireshark
Date: Tue, 26 Jun 2012 00:10:17 +0200
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: transition

Dear Release Team,

I'd like to upload the latest version of wireshark to unstable.
Updating from 1.6.8 to 1.8.0 brings a new ABI with a new soname for
all the libs. Having Wireshark 1.8.x in Wheezy is important because
upstream's support for 1.6.x ends on June 7, 2013 [1] and Wireshark
needs regular security updates.

The only source package affected is netexpect, for which I am in contact
with its maintainer, Eloy Paris.

I have uploaded wireshark 1.8.0~rc1 to the NEW queue through a sponsor
and plan uploading 1.8.0 to unstable right after RC1 gets accepted.

Ben file:

title = "wireshark";
is_affected = .build-depends ~ /libwireshark-dev|libwsutil-dev|libwiretap-dev/;
is_good = .depends ~ /libwireshark2|libwsutil2|libwiretap2/;
is_pad = .depends ~ /libwireshark1|libwsutil1|libwiretap1/;


[1]: http://wiki.wireshark.org/Development/LifeCycle




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#679041; Package release.debian.org. (Tue, 26 Jun 2012 16:30:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mehdi Dogguy <mehdi@dogguy.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 26 Jun 2012 16:30:03 GMT) Full text and rfc822 format available.

Message #10 received at 679041@bugs.debian.org (full text, mbox):

From: Mehdi Dogguy <mehdi@dogguy.org>
To: balint@balintreczey.hu, 679041@bugs.debian.org
Subject: Re: Bug#679041: transition: wireshark
Date: Tue, 26 Jun 2012 18:26:03 +0200
Hi,

On 26/06/2012 00:10, Bálint Réczey wrote:
>
> I'd like to upload the latest version of wireshark to unstable.
> Updating from 1.6.8 to 1.8.0 brings a new ABI with a new soname for
> all the libs. Having Wireshark 1.8.x in Wheezy is important because
> upstream's support for 1.6.x ends on June 7, 2013 [1] and Wireshark
> needs regular security updates.
>

Thanks for letting us know. Unfortunately, we think that this update
came a tad late because we are >that< near to freeze and the update
seems quite large.

About the security concerns, as far as I can see, updating wireshark to
1.8 in Wheezy would not buy us more than a year. AFAIK, the security
team didn't raise any concerns about this package in the past. Are there
any other concerns with the 1.6.8 release besides the security aspect?

Regards,

-- 
Mehdi Dogguy مهدي الدڤي
http://dogguy.org/




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#679041; Package release.debian.org. (Tue, 26 Jun 2012 17:21:30 GMT) Full text and rfc822 format available.

Acknowledgement sent to balint@balintreczey.hu:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 26 Jun 2012 17:21:30 GMT) Full text and rfc822 format available.

Message #15 received at 679041@bugs.debian.org (full text, mbox):

From: Bálint Réczey <balint@balintreczey.hu>
To: Mehdi Dogguy <mehdi@dogguy.org>
Cc: 679041@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#679041: transition: wireshark
Date: Tue, 26 Jun 2012 19:16:24 +0200
2012/6/26 Mehdi Dogguy <mehdi@dogguy.org>:
> Hi,
>
> On 26/06/2012 00:10, Bálint Réczey wrote:
>>
>>
>> I'd like to upload the latest version of wireshark to unstable.
>> Updating from 1.6.8 to 1.8.0 brings a new ABI with a new soname for
>> all the libs. Having Wireshark 1.8.x in Wheezy is important because
>> upstream's support for 1.6.x ends on June 7, 2013 [1] and Wireshark
>> needs regular security updates.
>>
>
> Thanks for letting us know. Unfortunately, we think that this update
> came a tad late because we are >that< near to freeze and the update
> seems quite large.
This is why i don't want to risk backporting security fixes from 1.8.x to 1.6.x.

>
> About the security concerns, as far as I can see, updating wireshark to
> 1.8 in Wheezy would not buy us more than a year. AFAIK, the security
One year is practically one third of Wheezy support time. This is huge.

> team didn't raise any concerns about this package in the past. Are there
> any other concerns with the 1.6.8 release besides the security aspect?
The security aspect is the most important one. Supporting 1.6.x put too much
load on the single maintainer of wireshark. Another important factor
is that we may
want to ship reasonably fresh software to users.

Note that 1.8.0~rc1-1 has been uploaded to the NEW queue weeks ago... [1]

Please let the package in.

Thanks,
Balint

[1]: http://ftp-master.debian.org/new/wireshark_1.8.0~rc1-1.html




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#679041; Package release.debian.org. (Tue, 26 Jun 2012 19:00:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Bernat <bernat@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 26 Jun 2012 19:00:05 GMT) Full text and rfc822 format available.

Message #20 received at 679041@bugs.debian.org (full text, mbox):

From: Vincent Bernat <bernat@debian.org>
To: Mehdi Dogguy <mehdi@dogguy.org>
Cc: 679041@bugs.debian.org, balint@balintreczey.hu
Subject: Re: Bug#679041: transition: wireshark
Date: Tue, 26 Jun 2012 20:57:10 +0200
[Message part 1 (text/plain, inline)]
 ❦ 26 juin 2012 18:26 CEST, Mehdi Dogguy <mehdi@dogguy.org> :

> About the security concerns, as far as I can see, updating wireshark to
> 1.8 in Wheezy would not buy us more than a year.

But after one year, it will be easier to backport fixes to 1.8 than to
backport them to 1.6.
-- 
 /* Identify the flock of penguins.  */
	2.2.16 /usr/src/linux/arch/alpha/kernel/setup.c
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#679041; Package release.debian.org. (Wed, 27 Jun 2012 19:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 27 Jun 2012 19:12:03 GMT) Full text and rfc822 format available.

Message #25 received at 679041@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: balint@balintreczey.hu, 679041@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: Bug#679041: transition: wireshark
Date: Wed, 27 Jun 2012 20:08:04 +0100
tag 679041 + pending
thanks

On Tue, 2012-06-26 at 19:16 +0200, Bálint Réczey wrote:
> 2012/6/26 Mehdi Dogguy <mehdi@dogguy.org>:
> > On 26/06/2012 00:10, Bálint Réczey wrote:
> >> I'd like to upload the latest version of wireshark to unstable.
> >> Updating from 1.6.8 to 1.8.0 brings a new ABI with a new soname for
> >> all the libs. Having Wireshark 1.8.x in Wheezy is important because
> >> upstream's support for 1.6.x ends on June 7, 2013 [1] and Wireshark
> >> needs regular security updates.
[...]
> > Thanks for letting us know. Unfortunately, we think that this update
> > came a tad late because we are >that< near to freeze and the update
> > seems quite large.
> This is why i don't want to risk backporting security fixes from 1.8.x to 1.6.x.

I have to admit to not being happy with the size of the diff at this
late stage, but it seems the lesser of the available evils.  The 1.8
package was accepted from NEW a short while ago by our friendly
ftp-team.

Can we schedule binNMUs for netexpect, or does it require any source
changes?

> > About the security concerns, as far as I can see, updating wireshark to
> > 1.8 in Wheezy would not buy us more than a year. AFAIK, the security
> One year is practically one third of Wheezy support time. This is huge.

If we assume a cycle of recent lengths for wheezy+1, it also leaves us
with likely one third of wheezy's lifetime where upstream won't be
supporting 1.8.

> Note that 1.8.0~rc1-1 has been uploaded to the NEW queue weeks ago... [1]

In that case, I'm not entirely sure why the transition bug wasn't raised
"weeks ago"... nor what the logic is behind not having uploaded the
release version already, given that the upstream schedule claims it was
released a week ago.

Regards,

Adam





Added tag(s) pending. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Wed, 27 Jun 2012 19:12:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#679041; Package release.debian.org. (Thu, 28 Jun 2012 08:45:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to balint@balintreczey.hu:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 28 Jun 2012 08:45:09 GMT) Full text and rfc822 format available.

Message #32 received at 679041@bugs.debian.org (full text, mbox):

From: Bálint Réczey <balint@balintreczey.hu>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 679041@bugs.debian.org, Debian Security Team <team@security.debian.org>, Eloy Paris <peloy@chapus.net>
Subject: Re: Bug#679041: transition: wireshark
Date: Thu, 28 Jun 2012 10:43:52 +0200
2012/6/27 Adam D. Barratt <adam@adam-barratt.org.uk>:
> tag 679041 + pending
> thanks
>
> On Tue, 2012-06-26 at 19:16 +0200, Bálint Réczey wrote:
>> 2012/6/26 Mehdi Dogguy <mehdi@dogguy.org>:
>> > On 26/06/2012 00:10, Bálint Réczey wrote:
>> >> I'd like to upload the latest version of wireshark to unstable.
>> >> Updating from 1.6.8 to 1.8.0 brings a new ABI with a new soname for
>> >> all the libs. Having Wireshark 1.8.x in Wheezy is important because
>> >> upstream's support for 1.6.x ends on June 7, 2013 [1] and Wireshark
>> >> needs regular security updates.
> [...]
>> > Thanks for letting us know. Unfortunately, we think that this update
>> > came a tad late because we are >that< near to freeze and the update
>> > seems quite large.
>> This is why i don't want to risk backporting security fixes from 1.8.x to 1.6.x.
>
> I have to admit to not being happy with the size of the diff at this
> late stage, but it seems the lesser of the available evils.  The 1.8
> package was accepted from NEW a short while ago by our friendly
> ftp-team.
Thanks!
The Wireshark project uses pretty advanced techniques for ensuring
code quality including three different static code analyzers,
building for  platforms
and fuzz testing every build.
There are still security issues found in the code base time to time,
but with more than
2 million lines of C code it would be hard to avoid those completely.
All in all I'm convinced that having 1.8.x in Wheezy in the right decision.

>
> Can we schedule binNMUs for netexpect, or does it require any source
> changes?
Eloy will upload the new netexpect package soon.

...
>
>> Note that 1.8.0~rc1-1 has been uploaded to the NEW queue weeks ago... [1]
>
> In that case, I'm not entirely sure why the transition bug wasn't raised
> "weeks ago"... nor what the logic is behind not having uploaded the
> release version already, given that the upstream schedule claims it was
> released a week ago.
In the past we managed the "transition" ourselves by quickly updating
netexpect after wireshark.
Since netexpect does not have too many users yet and netexpect is the
only package
depending on wireshark it seemed to be a better solution over
involving the release team.
Should we always open a transition bug?

Cheers,
Balint




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#679041; Package release.debian.org. (Thu, 28 Jun 2012 12:04:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Eloy Paris <peloy@chapus.net>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 28 Jun 2012 12:04:23 GMT) Full text and rfc822 format available.

Message #37 received at 679041@bugs.debian.org (full text, mbox):

From: Eloy Paris <peloy@chapus.net>
To: balint@balintreczey.hu
Cc: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 679041@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#679041: transition: wireshark
Date: Thu, 28 Jun 2012 07:36:42 -0400
Hi all,

On 06/28/2012 04:43 AM, Bálint Réczey wrote:

[...]

> 2012/6/27 Adam D. Barratt <adam@adam-barratt.org.uk>:
>>
>> Can we schedule binNMUs for netexpect, or does it require any source
>> changes?
> Eloy will upload the new netexpect package soon.

I uploaded to unstable new netexpect packages built against the new 
Wireshark 1.8.0 packages yesterday as soon as I saw that Wireshark 1.8.0 
had been accepted into unstable.

>>> Note that 1.8.0~rc1-1 has been uploaded to the NEW queue weeks ago... [1]
>>
>> In that case, I'm not entirely sure why the transition bug wasn't raised
>> "weeks ago"... nor what the logic is behind not having uploaded the
>> release version already, given that the upstream schedule claims it was
>> released a week ago.
> In the past we managed the "transition" ourselves by quickly updating
> netexpect after wireshark.
> Since netexpect does not have too many users yet and netexpect is the
> only package
> depending on wireshark it seemed to be a better solution over
> involving the release team.
> Should we always open a transition bug?

Last time, for the Wireshark 1.4 to 1.6 transition, we were not close to 
a freeze, but Bálint and I coordinated the transition just like we did 
this time. The end result was the same -- all packages and their 
dependencies hitting unstable on the same day.

Cheers,

Eloy Paris.-




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#679041; Package release.debian.org. (Thu, 28 Jun 2012 18:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 28 Jun 2012 18:15:03 GMT) Full text and rfc822 format available.

Message #42 received at 679041@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Eloy Paris <peloy@chapus.net>
Cc: balint@balintreczey.hu, 679041@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#679041: transition: wireshark
Date: Thu, 28 Jun 2012 19:12:44 +0100
On Thu, 2012-06-28 at 07:36 -0400, Eloy Paris wrote:
> On 06/28/2012 04:43 AM, Bálint Réczey wrote:
> > In the past we managed the "transition" ourselves by quickly updating
> > netexpect after wireshark.
> > Since netexpect does not have too many users yet and netexpect is the
> > only package
> > depending on wireshark it seemed to be a better solution over
> > involving the release team.
> > Should we always open a transition bug?
> 
> Last time, for the Wireshark 1.4 to 1.6 transition, we were not close to 
> a freeze, but Bálint and I coordinated the transition just like we did 
> this time. The end result was the same -- all packages and their 
> dependencies hitting unstable on the same day.

For most of the release cycle, that will likely work fine, yes; although
unless netexpect actually requires source changes, you could save
yourself some work and just ask us to binNMU it.

However, when the freeze is known to be very close and the upload
doesn't occur until nearly three weeks _after_ the already publicised
"talk to us /now/ or your transition is unlikely to make wheezy" time
point, then co-ordination amongst yourselves is not sufficient.  If it
weren't for upstream's published support calendar, there's a reasonable
chance that 1.8 might not have made it, given when the release team were
asked.

Regards,

Adam





Reply sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
You have taken responsibility. (Mon, 02 Jul 2012 22:19:01 GMT) Full text and rfc822 format available.

Notification sent to balint@balintreczey.hu:
Bug acknowledged by developer. (Mon, 02 Jul 2012 22:19:01 GMT) Full text and rfc822 format available.

Message #47 received at 679041-done@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: balint@balintreczey.hu, 679041-done@bugs.debian.org
Subject: Re: Bug#679041: transition: wireshark
Date: Mon, 02 Jul 2012 23:12:27 +0100
On Tue, 2012-06-26 at 00:10 +0200, Bálint Réczey wrote:

> I'd like to upload the latest version of wireshark to unstable.
> Updating from 1.6.8 to 1.8.0 brings a new ABI with a new soname for
> all the libs. Having Wireshark 1.8.x in Wheezy is important because
> upstream's support for 1.6.x ends on June 7, 2013 [1] and Wireshark
> needs regular security updates.
> 
> The only source package affected is netexpect, for which I am in contact
> with its maintainer, Eloy Paris.

I aged wireshark and netexpect a little so we could get this transition
finished; as of tonight's britney run, wireshark 1.8 is in wheezy.

Regards,

Adam





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 31 Jul 2012 07:28:59 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 16:29:31 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.