1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109993: bookworm-pu: package rsync/3.2.7-1+deb12u3

    From Alex@21:1/5 to All on Sun Jul 27 22:10:01 2025
    XPost: linux.debian.devel.release

    --=-=-=
    Content-Type: text/plain

    Package: release.debian.org
    Severity: normal
    Tags: bookworm
    User: [email protected]
    Usertags: pu
    X-Debbugs-Cc: [email protected]
    Control: affects -1 + src:rsync

    Please unblock package rsync

    [ Reason ]

    The changes increase the test coverage of the rsync package. This in
    turn is an additional layer of defense against regressions in the
    package due to CVE fixes or other proposed-updates changes.

    These changes are basically identical to those that have been [unblocked
    for testing][1][2] already, with one small difference: In stable we do not skip one test because the diffoscope version in stable does not contain a
    regression introduced in later diffoscope versions which are shipped in testing.

    [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107754
    [2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109938

    [ Impact ]

    Without these changes, users of (soon old-)stable would face a higher
    risk of regressions in rsync for security fixes or other
    proposed-update.

    [ Tests ]

    These changes only add tests and don't affect the functionality of the
    package.

    [ Risks ]

    I don't see any: The tests are not flaky. The 2 additional build
    dependencies do not impact the binary.

    [ Checklist ]
    [x] *all* changes are documented in the d/changelog
    [x] I reviewed all changes and I approve them
    [x] attach debdiff against the package in (old)stable


    --=-=-=
    Content-Type: text/plain; charset=utf-8
    Content-Disposition: inline; filename=rsync.debdiff
    Content-Transfer-Encoding: quoted-printable
    Content-Description: rsync_3.2.7-1+deb12u3

    diff -Nru rsync-3.2.7/debian/changelog rsync-3.2.7/debian/changelog
    --- rsync-3.2.7/debian/changelog 2025-01-15 19:47:12.000000000 +0100
    +++ rsync-3.2.7/debian/changelog 2025-07-27 16:12:57.000000000 +0200
    @@ -1,3 +1,16 @@
    +rsync (3.2.7-1+deb12u3) bookworm; urgency=medium
    +
    + * Team upload.
    + * d/control: Add B-D acl and attr, used for tests-only, no impact to
    + resulting binaries
    + * d/tests: New tests:
    + - rsync-help: Superficial test for "-h"
    + - local-tests: End-to-end tests with local transfers
    + - remote-tests: End-to-end tests through ssh
    + - upstream-tests-as-root: Upstream unit tests, run as root
    +
    + -- Alex <[email protected]> Sun, 27 Jul 2025 16:12:57 +0200
    +
    rsync (3.2.7-1+deb12u2) bookworm-security; urgency=high

    [ Salvatore Bonaccorso ]
    diff -Nru rsync-3.2.7/debian/control rsync-3.2.7/debian/control
    --- rsync-3.2.7/debian/control 2025-01-15 19:47:12.000000000 +0100
    +++ rsync-3.2.7/debian/control 2025-07-27 16:12:57.000000000 +0200
    @@ -12,7 +12,9 @@
    zlib1g-dev,
    libssl-dev,
  • From Jonathan Wiltshire@21:1/5 to All on Mon Jul 28 23:30:01 2025
    XPost: linux.debian.devel.release

    Control: tag -1 moreinfo

    Hi,

    This proposal does not fit the usual criteria for an update to the stable release. Why do the enhanced tests need adding *now* for hypothetical
    future security updates?

    --
    Jonathan Wiltshire [email protected]
    Debian Developer http://people.debian.org/~jmw

    4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Samuel Henrique@21:1/5 to Jonathan Wiltshire on Mon Jul 28 23:50:01 2025
    XPost: linux.debian.devel.release

    Control: tag -1 - moreinfo

    Hello Jonathan,

    On Mon, 28 Jul 2025 at 22:21, Jonathan Wiltshire <[email protected]> wrote:

    This proposal does not fit the usual criteria for an update to the stable release. Why do the enhanced tests need adding *now* for hypothetical
    future security updates?

    I thought increasing test�coverage was within the scope of stable-pu
    updates, is this not the case? I mean, this will make it easier to catch regressions in stable uploads.

    I might have misunderstood the question, but we want to add these tests to bookworm in order to detect regressions in future updates to the rsync package in bookworm. We've had a bad regression pushed to bookworm in January this
    year as part of a CVE fix, that's the type of problem I'm trying to avoid from happening, does this answer it?

    The same changes are also part of Trixie already, but they won't catch any problems in future bookworm uploads.

    Maybe you're asking why not wait until the next upload of rsync to
    bookworm in order to push this with it. If that's the question, I'd
    prefer to do it now and not have to risk missing this in a future
    upload, it makes the review simpler due to the smaller diff, and it
    could also catch regressions introduced by rdeps (uploaded independently
    of rsync).

    Regards,

    --
    Samuel Henrique <samueloph>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)