[01:17] Fwd from Top: https://t.me/joinchat/AAAAAFIaauLQ-cq1MEwj-w [18:27] *drops a grenade* [18:27] The_LoudSpeaker I'd have to review the package first and get an idea for how maintainable it is, etc. One of the things we're working on behind the scenes is that there's a dedicated developer willing to maintain the software [18:28] even while in backports (you can't just backport and forget, security concerns and what not) [18:28] but the process hasn't been finalized yet [18:28] and right now backports are selectively approved/handled [18:29] so you are saying you can look into the package and approve it? [18:30] i can look into the package [18:30] but then I have to talk to Laney about it [18:30] *and* it needs someone with upload privs to be willing to maintain it [18:30] long term and provide security updates, etc. backporting where needed [18:30] backports isn't going to be as simple as 'oh ok we can backport it' anymore in the future :P [18:30] also, its in universe rn so it will stay in universe itself? or migrate into backports? [18:30] you don't have the upload rights? [18:32] also, you can look at the source via a apt source micro on focal or groovy. focal has 2.0.1 and groovy has 2.0.6 afaik. [18:32] need to get 2.0.6 in focal [18:32] oh i have upload rights the question is "do I really want to maintain this going forward" [18:32] as i just said [18:32] backports is no longer an "upload and forget" [18:33] whoever wants it in backports (i.e. me, etc.) needs to be willing to maintain the package, patches, etc. going forward. it ALSO needs to build with minimal changes. [18:33] and right now backports is pretty stagnant/dead right now [18:33] yeah for the same reason I asked if it really needs to go to backports? [18:33] its already in universe repos of focal [18:34] > micro maintained [18:34] what exactly is 'micro maintained' lol [18:36] what I mean is can someone update micro which right now is sitting in focal-universe to the latest version thats present in groovy-universe ? [18:37] it was " a package named micro, maintained in debian by a friend" not "micro maintained". wouldn't make sense. [18:37] yeah well you weren't clear ;P [18:38] well you haven't provided me my coffee yet. maybe that's why. [18:38] the source package is named 'micro' yes? [18:38] yes! [18:38] NACK [18:38] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964271 [18:38] its a text editor. [18:39] autoremoval on the 17th [18:39] unless your friend and the Debian Go Packaging Team are willing to *fix* this grave RC bug [18:39] i'm not backporting it [18:39] hell I'll even request it's removal from Ubuntu if the issue is grave enough :P [18:39] (welcome to the security centric mindset I have) [18:40] okay. I will let them know about this RC bug. [18:41] if they read the package tracker like I do [18:41] they'd already know it [18:41] tell em to read https://tracker.debian.org/pkg/micro regularly [18:41] I do this with ALL my packages I maintain in Debian [18:41] noted. [18:41] should point out that notice has been on the tracker since the 7th of July [18:41] and it's a month since then [18:41] soooooooooooooooooooooooooooo [18:42] yeah yeah I got it. [18:42] the issue is also in a go-dependent package so [18:42] the dep on golang-x-text is the problem since that has the grave RC bug [18:43] if you can't work with the package without golang-x-text and the Debian Go Package Team and Upstream don't fix the CVE then the package gets removed from testing [18:44] I think you should join us in #debian-golang on oftc and remind them. [18:45] not my job to look after packages I don't have a vested interest in :P [18:45] YOU however can make that notice yourself [18:45] that said [18:45] they may be waiting on Upstream to patch it [18:46] or for upstream to make a major version release because https://github.com/golang/go/issues/39491 is marked 'fixed' [18:46] yeah just saw [18:46] they are pobably waiting for a new release [18:46] still labeled 'needs fixed' upstream but the issue is closed so [18:46] well unless they release by the 17th that apcakge and its rdeps get purged from testing [18:47] and after that from groovy-universe? [18:49] well @teward001 check this: [18:49] utkarsh2102: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964271 is important for micro it seems. [18:49] [zwiebelbot] Debian#964271: golang-x-text: CVE-2020-14040 - https://bugs.debian.org/964271 [18:49] The_LoudSpeaker: there's no need to fix this here [18:49] It's already fixed in golang-golang-x-text. [18:49] the fix is in debian? i mean uploaded? [18:49] In the next upload of micro, we'll switch from golang-x-text to golang-golang-x-text. [18:49] yep. [18:49] Debian bug 964271 in src:golang-x-text "golang-x-text: CVE-2020-14040" [Grave, Open] [18:49] The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Deco... [18:49] okay. once you do that let me know. I got you a sponsor for it in focal-universe [18:49] It was fixed and uploaded on 15th July. [18:49] The_LoudSpeaker: perfect! [18:50] no you haven't gotten a sponsor yet [18:50] XD [18:53] oh ALSO [18:53] NACK becuase E:MissingDependencies [19:04] this is gonna be a chain of SRUs then. [19:31] yep