[Bug 1920724] Re: Upgrade focal/libjcat to version 0.1.3-2 and MIR it

Alex Murray 1920724 at bugs.launchpad.net
Wed Jul 21 00:18:08 UTC 2021 

root at focal:~# reverse-depends libjcat1
Reverse-Depends
* fwupd
* gir1.2-jcat-1.0
* jcat
* libfwupd2
* libfwupdplugin1
* libjcat-dev
* libjcat-tests

I don't have a strong opinion on whether backporting just the CVE fix or
doing a wholesale backport of 0.1.3-2 is the better option - it depends
on how likely the 0.1.3-2 backport is to cause some regression - the CVE
fix itself looks pretty self-contained in
https://github.com/hughsie/libjcat/commit/839b89f so I don't think that
is likely to cause any issues itself, however there is potentially a
regression risk with sticking with libjcat 0.1.0 combined with a newer
fwupd too so either way this will need good testing to ensure the risk
of regression is minimised. Given this, perhaps the better option is to
just backport 0.1.3-2 as we have evidence that this works well with
fwupd 1.5.11 in impish.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libjcat in Ubuntu.
https://bugs.launchpad.net/bugs/1920724

Title:
  Upgrade focal/libjcat to version 0.1.3-2 and MIR it

Status in OEM Priority Project:
  In Progress
Status in libjcat package in Ubuntu:
  Fix Released
Status in libjcat source package in Focal:
  New

Bug description:
  [Impact]
  Needed for fwupd 1.5.11

  [Test plan]
  It has a test suite and fwupd uses it, so testing fwupd tests it to some extend

  [Where problems could occur]
  fwupd could break on regressions. Then again, this is a straight backport and it's fairly small.

  [Original report]

  per lp:1920723, we need to upgrade focal/lib cat to version 0.1.3-2
  (as in groovy/hirsute/impish) from version 0.1.0-2.

  libjcat in focal is in universe, we need to MIR it.

  ppa for upgrade libjcat in focal: https://launchpad.net/~ycheng-
  twn/+archive/ubuntu/fwupd1511

  [Availability]
  yes, it's in ubuntu universe.

  [Rationale]
  Given lp:1920723, we need to MIR it in focal.

  [Quality assurance]
  [Security]
  [Standards compliance]
  [Maintenance]

  Given it's in main in hirsute / groovy already, it's fine.

  [Dependencies]

  Per check, the dependency in groovy is exactly the same as in focal.

  [Background information]

  See details in lp:1934209

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1920724/+subscriptions

More information about the foundations-bugs mailing list