reassign 464712 libcap2 retitle 464712 bump shlibs to >= 2.10 thanks
Sven Joachim wrote:
On 2008-07-09 08:41 +0200, Ted Percival wrote:reopen 464712 found avahi-daemon/0.6.23-2 thanks The libcap2 dependency is more nuanced than I realised. In order to avoid a similar warning (warning: `avahi-daemon' uses deprecated v2 capabilities in a way that may be insecure.") the libcap2 package must be >= 2.10 as well (not just libcap2-dev). I guess this versioned "Depends" should be added explicitly.
I don't think this would be a good idea. There will already be a autogenerated dependency on libcap2 from dh_shlibsdeps.
For details see http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=kernel/capability.c;h=901e0fdc3fffa3b32fca26e0aa4e1985b244bd10;hb=HEAD#l55 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ca05a99a54db1db5bca72eccb5866d2a86f8517f https://bugzilla.redhat.com/show_bug.cgi?id=447518Would it not be better to fix this in libcap2's shlibs file? I.e. use libcap 2 libcap2 (>= 2.10-1) there and let avahi-daemon and other packages build-depend on libcap2-dev (>= 2.10-3), assuming that 2.10-3 is the version containing that shlibs file.
I'm reassigning this bug to libcap2 and let its maintainer decide.If he deems the security issue important enough, the shlibs file should be bumped and he should request binNMUs for all reverse-dependencies.
Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
