[Bug 657405] Review Request: lbzip2 - fast, multi-threaded bzip2 utility

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=657405

Laszlo Ersek <lersek@xxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |drjones@xxxxxxxxxx

--- Comment #10 from Laszlo Ersek <lersek@xxxxxxxxxx> 2011-05-27 08:04:30 EDT ---
New branch request for lbzip2:

(http://fedoraproject.org/wiki/PackageMaintainers/CVSAdminProcedure#other)

Package Change Request
======================
Package Name: lbzip2
New Branches: el4 el5 el6
Owners: lzap

*** Justification: seems like we'd like to use lbzip2 for virt perf testing,
and it's more straightforward to install EPEL-x packages for RHEL-x than to
fish them out of Fedora.

*** Changes likely needed: the current spec file specifies

BuildRequires:  bzip2-devel >= 1.0.6, dash, sharutils
Requires:       bzip2-libs >= 1.0.6

The bzip2-devel, bzip2-libs versions require 1.0.6+ only due to a secvuln fixed
in upstream 1.0.6: "Version 1.0.6 removes a potential security vulnerability,
CVE-2010-0405, so all users are recommended to upgrade immediately."
(http://bzip.org/)

However, such fixes are always backported to / instantiated for all RHEL
versions:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0405

RHEL-4 ships bzip2-*-1.0.2, RHEL-5 ships bzip2-*-1.0.3, RHEL-6 ships something
more recent than that. There's no earlier EPEL than EPEL-4. Therefore I suggest
removing the bzip2 dependency version numbers from the spec file, on *all*
three EPEL branches. lbzip2 only needs API compatibility, which is ensured by
any 1.0.x.

*** Why I didn't add myself to the Owners field even now:

Because I want to keep my upstream work on lbzip2 strictly isolated from my
work paid-for by Red Hat.

Lukas, I'll buy you a beer of your preference after working hours :) Thanks!

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
package-review mailing list
package-review@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/package-review
[Index of Archives]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]