[Bug 2063221] Re: Drop libglib2.0-0 transitional package

Launchpad Bug Tracker 2063221 at bugs.launchpad.net
Mon May 20 14:36:56 UTC 2024 

This bug was fixed in the package glib2.0 - 2.80.1-0ubuntu2

---------------
glib2.0 (2.80.1-0ubuntu2) oracular; urgency=medium

  * Fix doc build

glib2.0 (2.80.1-0ubuntu1) oracular; urgency=medium

  * New upstream release
  * Drop patches applied in new release

glib2.0 (2.80.0-10ubuntu1) oracular; urgency=medium

  * Merge with Debian. Remaining change:
    - Don't enable sysprof integration in Ubuntu yet

glib2.0 (2.80.0-10) unstable; urgency=high

  * Team upload
  * d/patches: Add GDBus security fixes intended to be in 2.80.1
    - If local users send signals on the D-Bus system bus that spoof a
      trusted sender, do not deliver them to signal subscriptions for the
      trusted sender's well-known bus name (CVE-2024-34397)
    - Fix a use-after-free when subscribing to signals with an arg0
      match rule, originally from 2.79.0 and necessary to make the test
      for CVE-2024-34397 pass reliably
    - Add a local backport of g_set_str(), required by the above
    - Add proposed fix for a race condition that can cause a unit test
      to regress after the above
  * d/control: Add Breaks on gnome-shell (<< 44.9-2~).
    The security fix breaks screen recording and screencasting in older
    versions, so we should make sure both changes migrate together.
  * Set high urgency for security fix

 -- Jeremy Bícha <jbicha at ubuntu.com>  Tue, 07 May 2024 14:51:49 -0400

** Changed in: glib2.0 (Ubuntu)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-34397

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glib2.0 in Ubuntu.
https://bugs.launchpad.net/bugs/2063221

Title:
  Drop libglib2.0-0 transitional package

Status in glib2.0 package in Ubuntu:
  Fix Released
Status in glib2.0 source package in Noble:
  Fix Released

Bug description:
  Impact
  ------
  apt can struggle with ordering when handling the massive Y2028 time_t transition when upgrading to Ubuntu 24.04 LTS.

  It was identified that dropping the libglib2.0-0 transitional package
  can help apt do things in the correct order.

  Technically, Steve Langasek already removed libglib2.0-0 from noble
  release just before release. This upload is necessary to ensure that
  we don't accidentally bring it back.

  Test Case
  ---------
  1. Is libglib2.0-0 built?

  2. Run rmadison libglib2.0-0
  There should be 0 results for noble, noble-proposed, or noble-updates

  3. Ensure that libglib2.0-0 is removed during the upgrade from Ubuntu
  22.04 LTS to 24.04 LTS. Technically, ubuntu-release-upgrader is
  currently set to disallow upgrades to 24.04 LTS. If this is still the
  case when it is time to verify this SRU, you can manually substitute
  jammy → noble in /etc/apt/sources.list for purposes of testing this
  upgrade, probably in a VM since that's not the supported way to
  upgrade.

  Where Problems Could Occur
  --------------------------
  Doing an upload to not build a package that already does not exist in Ubuntu 24.04 LTS should have no regression potential. The only other change in this SRU is bumping the Breaks version to ensure that the transitional libglib2.0-0 is also removed for people who were using Ubuntu 24.04 LTS early. That also should not cause problems since the package was an empty transitional package for early Ubuntu 24.04 LTS users.

  Other Info
  ----------
  This is related to LP: #2061918 for the thunderbird deb to snap upgrade

  There are likely several other Launchpad bugs that can be resolved by
  removing the transitional package and some other workarounds in other
  packages, like in the transitional thunderbird package.

  https://salsa.debian.org/gnome-team/glib/-/merge_requests/34

  We have landed the removal in Debian Unstable and it successfully
  migrated to Debian Testing on April 27 as one of the first t64
  packages to migrate there.

  The removal was recommended by Julian Klode, the apt maintainer for
  Debian and Ubuntu.

  The original transitional package was added by Simon McVittie in hopes
  that it would help apt be able to calculate the upgrade easier. At
  least in the Ubuntu Desktop 22.04 LTS → 24.04 LTS case, it looks like
  it was the opposite. (Although that particular detail was fixed by the
  removal that already happened.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glib2.0/+bug/2063221/+subscriptions

More information about the foundations-bugs mailing list