May was the first month I started to contribute to Debian LTS under the Freexian umbrella. In total I spent six hours working on:
dulwich: research on CVE-2015-0838, CVE-2014-9706. This resulted in DLA-231-1.
mercurial: research on CVE-2014-9462, CVE-2014-9390 with Javi Merino. This resulted in DLA-237-1.
mongodb: research on CVE-2015-1609. It turned out that we're not affected, the code did the check correctly in earlier versions but lost it then.
My current work flow looks like
Find a package to work on via
https://security-tracker.debian.org/tracker/status/release/oldoldstable
Look at the details, via the security tracker, e.g.
https://security-tracker.debian.org/tracker/source-package/mercurial
Get the sources
#!/bin/sh -e PKG="$1" gbp import-dscs --debsnap "${PKG}" cd "${PKG}" git checkout -b debian/squeeze-lts debian/$(rmadison -s squeeze -a amd64 "${PKG}" | awk '/squeeze/ { print $3 }' | sed -s -e 's/:/%/' -e 's/~/_/') gbp pq import
Now I have an already patched source tree to add the backported patches to. Especially in cases where the Jessie version is already fixed this makes it rather quick to get an idea what the affected versions are and to see how the code evolved over time.
In order for this to work properly I made (on non LTS time) some improvements to gbp:
git-pbuilder now knows about LTS so it can create chroots like:
DIST=squeeze-lts git-pbuilder creategbp buildpackage is now clever enough to figure out the distribution to build for from the current branch name if you adhere to DEP14. So in case you're building from a git branch named debian/squeeze-lts it will automatically pass DIST=squeeze-lts to git-pbuilder. This needs
[buildpackge] dist=DEP14in gbp.conf.
gbp pq now tries harder to preserve patch names. While having patch names adhere to what git am writes out is nice but renaming patches just leads to too much noise when importing and exporting from existing packages (#761161). gbp pq still needs to improve in preserving DEP-3 header information though (#785274).
