Help with a debdiff for tigervnc

Andrew C Aitchison andrew at aitchison.me.uk
Sun Jan 21 18:05:48 UTC 2024


On Sun, 21 Jan 2024, Aaron Rainbolt wrote:

> On 1/21/24 05:41, Andrew C Aitchison wrote:
>> 
>> Debian have fixed a security bug in tigervnc which is in universe,
>> so someone needs to generate a debdiff for the security team to
>>  review it and publish the package:
>> https://bugs.launchpad.net/ubuntu/+source/tigervnc/+bug/2048442
>> 
>> Debian have fixed this by building tigervnc 1.13.1 with xorg-server-source
>>> = 2:21.1.10, but Ubuntu 23.10 has tigervnc 1.12.0+dfsg-8 and
>>> xorg-server-source
>> 2:21.1.7-3ubuntu2.6
>> 
>> On a good day I can build a .deb from source, but I am not familiar with
>> debdiffs and it is not clear to me that changing the upstream version
>> (either for mantic or noble) is a casual thing to do.
>> 
>> What is the next step to get this fix published ?
>
> If all that's necessary is to rebuild tigervnc against a properly patched 
> xorg-xserver-source, this shouldn't be too tricky. The versions of 
> xorg-xserver with the patch fixed can be seen at 
> https://ubuntu.com/security/notices/USN-5986-1. All that would then be 
> necessary is to bump the dependency to require a version of 
> xorg-xserver-source greater than or equal to the corresponding version in 
> each stable release, and bump the dependency to require the newest available 
> version of xorg-server-source or greater in the development release.
>
> The tricky part here is following the whole Stable Release Updates process 
> (https://wiki.ubuntu.com/StableReleaseUpdates), which takes at least a week 
> (probably more like a week and a couple of days) and requires lot of effort 
> and testing to make work. If you're interested in helping to fix this 
> hands-on, I'd be happy to assist, but stable release updates are one of the 
> harder parts of Ubuntu development. If you'd prefer, I'd also be happy to 
> just take this bug and work on getting it fixed.

Could you take it please ? I don't have any Ubuntu developer rights.

What is the best way to watch or see what you have done ?

Thanks,

-- 
Andrew C. Aitchison                      Kendal, UK
                    andrew at aitchison.me.uk


More information about the Ubuntu-devel-discuss mailing list