Regression identified in Service Provider library, new version pushed

Robert Bradley robert.bradley at it.ox.ac.uk
Fri Nov 17 10:37:19 EST 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 17/11/17 14:00, Cantor, Scott wrote:
> On 11/17/17, 8:45 AM, "users on behalf of Kristof Bajnok" 
> <users-bounces at shibboleth.net on behalf of bajnokk at niif.hu> wrote:
>> Does this dance affect people on Debian? It seems that
>> xmltooling is still on 2.6.0 even after the upgrade.
> 
> I don't package for Debian and I don't understand it's rules, so I 
> don't know what's available where from whom but I don't think it's 
> possible to make 2.6.1 available in the latest. I know that Ferenc 
> has been busy getting the security patches submitted and they are 
> aware of the regression. I don't think any of the new stuff was
> even really out the door before I got this fixed.
> 

As far as I can see in the Debian packages, the only changes are to
shibsp/metadata/DynamicMetadataProvider.cpp (stretch/shibboleth-sp2,
debian/patches/from-upstream/Security-fix-from-V2.6.1-SSPCPP-763.patch)
and saml/saml2/metadata/impl/DynamicMetadataProvider.cpp
(stretch/opensaml2,
debian/patches/from-upstream/Security-fix-from-V2.6.1-CPPOST-105.patch).
 These only affect the DynamicMetadataProvider.cpp files, and Debian
should be unaffected by the regression.

As an general aside on Debian packaging:

The Debian policy for packaging is generally that the upstream version
number of the package remains constant for a given release.
(Exceptions exist for firefox-esr and the like.)  So, on Debian the
Shibboleth SP release is 2.6.0 for stretch, and 2.5.3 for jessie.  The
Debian package version then suffixes Debian-specific versioning on to
this.  Security fixes get included as a series of patch files to the
original source, and are automatically applied during the package
build process.

For packages in a git repository, as shibboleth-sp2 is, the "gbp pq"
command semi-magically turns a git branch of patch commits into a
suitable debian/patches/ directory for you.

- -- 
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEgF3NFfO9FqlA+ME+lGGnynav474FAloPAiUACgkQlGGnynav
474m3g//R5013F5Hyuc5Erzk7VboJRN04wz6BgbdMkmbpO/XlabgOsqm42PGybSY
FdoWWGrWZv+w9r/BGoNYHsNI1uk1pq5dEFsvqJfhgSCwjk7op4vfE3i1n1Z5+2PA
Y5JTg6XOln/KB0Md7ZWzBagnhCa8tOHOmP9NY6iY7PF/TwvZ9dI8jVcwc6olJ4jp
P/tstHuLc+KdyJCpb2KotMf/58qYE7HjWBrfNqTru9Nzc3DupPihtYbaW65MK6uy
/K8tx1qOVZ6ZmCnjpJd25rWfJdllY5p8o/GAjvDcdcSFt/sAQzKTjgwjdl9qNjcu
5PyVKngJrZi22BPtVRA2lkoiEC74wf3CAupNouC/1MYGTWV794SS6sKRbn7rmuG3
JwhcO9B56XSxLHquJ67KqmWpCIUUXsO+wD1g2H0OGU7BcqgWcClrNE/RthuFkXIY
FwHlUvAfEHGJ1klKsJfTZ8gkS74mXUOUxNvM673gaoQBWMV8ouo/EMx7onfDTdxR
SVAHw38OAfZdOTXfhDVy+TS6TYuzjHVgMuYefBI+4cEcrZEs6NRbGRiKechoajm9
2QGZa5hsry6yC2csRRVBNKuvhxT/Kcx+KWvld9FTn0mUpULuMoHEV/LjMB2Acvwf
RevgSeqWqdygpMi+jURabQ2jm4eVP7z+r5BpdrhkI7WS7UKsJzQ=
=sFGn
-----END PGP SIGNATURE-----

More information about the users mailing list