Santiago Vila <sanv...@debian.org> writes: > Hello. > > I've made a team upload for Bug #1104509 (Internet access during build), > mainly to remove items in the todo list, since the fix was trivial. > > I was considering to fix this CVE bug as well, and I actually tried > backporting the upstream fix, but then the package would not build anymore > (will try to put what I did somewhere).
I was able to reproduce the build failure, the reason are some code changes in notation-core-go that introduces/changes some types, specifically 95d89543c9f97f68352207dc7739b1722a1403bf I've backported the necessary code changes and have uploaded it to experimental as golang-github-notaryproject-notation-core-go_1.1.0-7, to allow (more) convenient testing and review of the code. Once that has been built, we can upload the patch from upstream commit e7005a6d13e5ba472d4e166fbb085152f909e102 to experimental as well, so that we can then actually rebuild src:golang-github-notaryproject-notation > How much feasible would be that we would fix the CVE by packaging the > new upstream version (1.3.2) which is available? I could try that if > that's the best course of action, but for upgrading to a new upstream > release I would prefer somebody else to care of it. I believe that would be the next best option, but would require approval/review from the release team. I expect the change to be significant and require quite some effort to review. CC'ed debian-release: Please let me know if you prefer to go with newer upstream release, otherwise I'll proceed as outlined above: Minimal code changes, and rebuild dependencies in experimental so that they can be tested safely. Best, -rt
