Issues from D-I / KiBi: - udhcpc bugs (Ubuntu are looking to switch to isc-dhcp-client) - wget and SSL support (and fun with pulling in new udebs) - modprobe and friends (more udeb fun, copying non-udeb libraries in) - glibc static builds workaround (we should be able to get rid of this for >= buster) Significant users of busybox: - Debian Installer: - consumes udebs - has special config - has size restrictions on some arches - general D-I / udeb care required - initramfs-tools / actual initramfses: - uses standard 'busybox' packages - (may also be able to use -static?) - (busybox in initramfs may even be optional?) - Ben Hutchings (bwh) may be a good contact here - ties in with (depended on by) dropbear-initramfs, live-boot-initramfs-tools, open-infrastructure-initramfs-tools, zfs-initramfs - Others (e.g. by rdeps): - bootcd - people who use it in a rescue environment Variants of the package: - busybox - "normal" build, also used in initramfs - popcon (inst): num 193537, 98.64%, rank 117 - busybox-static - statically linked, uses Built-Using - config significantly different from plain busybox (bootc finds this surprising) - does it work with initramfs? - NOT co-installable with busybox - popcon (inst): num 816, 0.42%, rank 12880 - busybox-udeb - dynamically linked, reduced configuration - underpins D-I; popcon clearly irrelevant - sub-flavours for linux, hurd, kfreebsd Jobs that need undertaking (in no particular order) for the first upload: - bug triage - must (also check in older distributions) - TEMP-0803097-A74121 #803097 segmentation fault while unzipping bad archive (<= stretch only) cherry-pick.1_24_0-68-g1de25a6e8.unzip-test-for-bad-archive-segving.patch - CVE-2016-2148 #818497 (<= stretch only) - CVE-2016-2147 #818499 (<= stretch only) - CVE-2011-5325 #802702 b920a38dc (done for sid) (<= stretch only) - CVE-2014-9645 (<= jessie only) - CVE-2014-4607 (wheezy only) - CVE-2013-1813 (wheezy only) - review needed (also check in older distributions) - #812074 busybox: 'tar' fails to create a tar.gz file and a tar.bz2 - Closes: - #803097 [TEMP] - #818497 [CVE-2016-2148] - #818499 [CVE-2016-2147] - #802702 [CVE-2011-5325] - #831634 (new upstream version) - #854181 (RFH) - decide on a packaging format/tooling/system and naming (e.g. gbp/dgit/?, DEP-14?) (http://dep.debian.net/deps/dep14/) (we'll go this way but stick to the name "master") - document this in README.source - new upstream release (1.22.1 => 1.27.1) - a quick 'gbp import-orig [...]' fails with a merge failure (taken care of) - discuss how to deal with new features/modules - refresh patch queue (axhn) - many patches can be dropped, BSD should be checked with StevenC99 - switch debian/rules to use dh sequencer (bootc?) - this is workable with building multiple times, bootc does this for ppp and its udeb - rewrite d/copyright in DEP-5 - general spring cleaning (dh compat 10, standards ver, wrap-and-sort?, etc...) - agreement on shared workflow and also details as gory as quilt options or patch names - is debian-boot@l.d.o the correct "team" to maintain this under - no reason to change (bootc)? ACK - Uploaders header should be tweaked, should reach out to waldi (done, ACKed) / mjt Tentative changelog * New upstream release 1.27.2. This addresses: - Segfault when creating compressed tar files. Closes: #812074 - Pointer misuse unziping files. Closes: #803097 - Buffer overflow in the DHCP client. Closes: #818497 [CVE-2016-2148] - Integer overflow in the DHCP client. Closes: #818499 [CVE-2016-2147] * Postpone creation of symlinks with "suspicious" targets. Closes: #802702 [CVE-2011-5325] * Re-enable the test suite during build. Closes: #794526 Future work (i.e. after first upload) - prepare packages for stable/oldstable/LTS - upstream BSD/Hurd patches after successfull tests - make BSD/Hurd test suite poking a upstreamable patch (done), upstream - promote a "requires root" test class upstream, add mdev test (half-done) - autopkg, mostly to test the BSD/Hurd patches - Full bug triaging, forward where applicable, add bug tags - Create a "everything enabled" flavour, perhaps "minimal set" as well if somebody sees the need - must not break update-initramfs result - Policy on new features/module in a new upstream release (half-done)