| luis220413 | Why is this build producing packages that do not install any files other than the Debian changelog and copyright? https://launchpad.net/~luis220413/+archive/ubuntu/security-updates/+build/24229909 | 09:00 |
|---|---|---|
| luis220413 | This is an indirect build-dependency needed to fix CVE-2021-32798 in jupyter-notebook in Ubuntu 20.04 (focal). | 09:00 |
| ubottu | The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker t... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32798> | 09:00 |
| luis220413 | ebarretto: ^ | 09:01 |
| schopin | luis220413: (wild guess hypothesis here, I haven't actually checked anything besides the build logs): could be that whichever build helper (dh, some node-specfic dh addon) is smarter on 22.04 and installs some files by default that would need to be explicitly installed with the 20.04 version? | 09:06 |
| RikMills | I think you need to add back the explicit 'dh $@ --with nodejs' in debian/rules as you dropped using the dh-sequence-nodejs build dep | 09:10 |
| RikMills | possibly........... | 09:10 |
| RikMills | https://salsa.debian.org/js-team/node-deepmerge/-/commit/a4ba4eaccd1ce4e02b02c0907f3c4091fc5ab5df | 09:11 |
| ubottu | Commit a4ba4ea in js-team/node-deepmerge "Use dh-sequence-nodejs" | 09:11 |
| RikMills | i.e. you only partly reverted that | 09:11 |
| RikMills | anyway, that is my guess | 09:12 |
| luis220413 | RikMills: This worked. I will upload it now to my PPA | 09:20 |
| luis220413 | https://launchpad.net/~luis220413/+archive/ubuntu/security-updates/+packages | 09:20 |
| RikMills | \o/ | 09:22 |
| luis220413 | For Bionic, a build dependency of this package (rollup) failed to build because its source package (node-rollup) has a build dependency on it. | 09:24 |
| luis220413 | But rollup is not usable in cosmic (and therefore would not be usable on bionic with the same version) according to bug 1790200 | 09:26 |
| ubottu | Bug 1790200 in node-rollup (Ubuntu) "Rollup build-depends on itself and needs to be bootstrapped" [Undecided, Confirmed] https://launchpad.net/bugs/1790200 | 09:26 |
| luis220413 | However, version 0.50.0-2 does not have this circular build dependency and the changes from the version in Bionic are compatible packaging changes and a patch that makes rollup usable. | 09:32 |
| luis220413 | s/rollup/the package/ | 09:35 |
| luis220413 | I will upload this version to my PPA now. | 09:40 |
| luis220413 | Uploaded. | 10:37 |
| luis220413 | I will leave now but I will see your replies in the logs. | 10:37 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!