[ubuntu/resolute-proposed] dpkg 1.23.6ubuntu1 (Accepted)
Matthias Klose
doko at ubuntu.com
Sat Mar 7 07:59:16 UTC 2026
dpkg (1.23.6ubuntu1) resolute; urgency=medium
* Merge with Debian; remaining changes:
- Change native source version/format mismatch errors into warnings
until the dust settles on Debian bug 737634 about override options.
- Add DPKG_UNTRANSLATED_MESSAGES environment check so that higher-level
tools can get untranslated dpkg terminal log messages while at the
same time having translated debconf prompts.
- Map unqualified package names of multiarch-same packages to the native
arch instead of throwing an error, so that we don't break on upgrade
when there are unqualified names stored in the dpkg trigger database.
- Apply a workaround from mvo to consider ^rc packages as multiarch,
during the dpkg consistency checks. (see LP: 1015567 and 1057367).
- dpkg-gencontrol: Fix Package-Type override handling for ddeb support.
- scripts/Dpkg/Vendor/Ubuntu.pm, scripts/dpkg-buildpackage.pl: set
'nocheck' in build options by default on Ubuntu/riscv64. Overridable
in debian/rules with
'DEB_BUILD_OPTIONS := $(filter-out nocheck,$(DEB_BUILD_OPTIONS))'.
- dpkg-dev: Depend on lto-disabled-list.
- dpkg-buildflags: Read package source names from lto-disabled-list,
to build without lto optimizations. When adding a source package to the
list, please also file a launchpad issue and tag it with 'lto'.
- scripts/Dpkg/Vendor/Ubuntu.pm: set 'noudeb' build profile by
default. Override this by exporting DEB_BUILD_PROFILE='!noudeb' which
will be stripped, and thus building with udebs.
- build: Switch default dpkg-deb compression from xz to zstd.
Keep compressing dpkg.deb with xz to help bootstrapping on non-Ubuntu
systems.
- set default zstd compression level to 19
- scripts/Dpkg/Vendor/Debian.pm: Always include "-fdebug-prefix-map"
to build flags. Map path to "/usr/src/PKGNAME-PKGVER" instead of
".", honouring the DWARF standard which prohibits relative paths
in DW_AT_comp_dir.
- scripts/{mk/buildflags.mk,t.mk}: Add support for DEB_BUILD_DEBUGPATH.
- man/dpkg-buildflags.pod: Document new behaviour of "fdebugmap" and
new DEB_BUILD_DEBUGPATH variable.
- Disable -fstack-clash-protection on armhf since it causes crashes
- dpkg-buildflags: Add a new feature "framepointer" in the "qa" area.
- Turn on the use of frame pointers by default on 64bit architectures.
- Update _FORTIFY_SOURCE documentation.
- Update Dpkg_BuildFlags test case.
- Fix debian/rules duplicate invocations of dh_builddeb
- lib/dpkg/compress.c: clean up override of the default zstd compression
level
- dpkg-buildflags: Explicitly turn off hardening flags when requested.
- Export environment variables DEB_BUILD_OS_RELEASE_ID, DEB_HOST_ARCH,
DEB_SOURCE, and DEB_VERSION when including buildflags.mk (LP: #2070015)
- buildflags: document RUSTFLAGS
- buildflags: Always set RUSTFLAGS
- tests: avoid failing under DEB_VENDOR != Debian
- dpkg-buildflags: enable ELF package note metadata
- buildflags: set origin of env vars for ELF package metadata
- Export ELF_PACKAGE_METADATA for a build. Picked up by GCC and clang.
Passing -specs explicitly can be dropped in a follow-up upload.
- dpkg-buildflags: set RUSTFLAGS to influence the command line flags cargo
will pass to rustc, and set the flags to include framepointers when the
framepointer feature of the qa area is enabled.
- Disable framepointer on ppc64el.
- Disable framepointer on s390x, leaving only -mbackchain.
- Add a note about different behaviour of dpkg-buildflags with respect to
LTO on Ubuntu.
- dpkg-buildpackage: Construct ELF_PACKAGE_METADATA, and set in the
environment if not already set. This setting is picked up by
GCC and clang, passing a --package-metadata option the the linker.
- Stop passing --specs for metadata information. It's too fragile
and only works for GCC. Also introduces a lot of packaging delta.
- Stop defaulting to -O3 on amd64.
- dpkg-dev: Still prefer gnupg and gpgv over sq.
Introduce architecture variants (thanks to mwhudson for the rebase)
- scripts/dpkg-gencentrol.pl: fix operator precedence.
- Copy across the architecture variant (LP #2128606)
- Drop unused elf-package-metadata specs files
- dpkg-buildflags: set --package-metadata directly in LDFLAGS, and still
set ELF_PACKAGE_METADATA in the environment.
- Include architecture variant in ELF package metadata (LP #2131806)
dpkg (1.23.6) unstable; urgency=medium
[ Guillem Jover ]
* dpkg-query: Fix segfault with empty -S argument. LP: #2092676
* dpkg-deb: Be more robust against truncated ar archives.
Reported by Yashashree Gund <yash_gund at live.com>.
* dpkg-deb: Reject ar archives with 0 sized tar members.
Reported by Yashashree Gund <yash_gund at live.com>.
* libdpkg, scripts: Detect corrupt ar archive with non-even byte sizes.
* dpkg-source: Fix running from within the source tree.
Reported by Umut <ue16 at gmx.de> (on IRC).
* dpkg-source: Support running --commit from within the source tree w/o
«.». Closes: #1127383
* dpkg-source: Fix format in maintainer error message.
Thanks to Marko Zajc <marko at zajc.tel>.
* dpkg-scanpackages: Add new --no-implicit-arch option. Closes: #1128325
* Perl modules:
- Dpkg::Shlibs::Objdump::Object: Clarify code comment.
- Dpkg::Source::Package::V2: Do not print source root on modified files
list. Closes: #1126558
- Dpkg::Source::Patch: Speed up patched filename retrieval in patches.
- Dpkg::Source::Patch: Add comment about the use of tr{}{} as char counter.
- Dpkg::OpenPGP::Backend::GnuPG: Add missing Dpkg::Gettext import.
Closes: #1128406
- Dpkg::OpenPGP::Backend::GnuPG: Refactor _file_read_header().
- Dpkg::OpenPGP::Backend::GnuPG: Detect and warn on LibrePGP artifacts.
- Dpkg::Email::Address: Warn on email domains with a single label.
Closes: #1126508
- Dpkg::Source::Patch: Fix code comment.
- Dpkg::Source::Patch: Add new has_errors() method.
- Dpkg::Source::Package::V2: Delay unrepresentable error after local
changes list. Closes: #1126665
- Dpkg::Vendor: Fix taint mode in get_vendor_object().
- Dpkg::Compression: Remove deprecated function compression_get_property().
- Dpkg::Archive::Ar: Switch header variables into a hash.
- Dpkg::Archive::Ar: Check that no header field is empty.
* Code internals:
- libdpkg: Use varbuf_str() instead of directly accessing buf.
- scripts: Parse and validate all Changed-By and Maintainer field inputs.
Closes: #1126507
- libdpkg: Terminate zstd decompression when we have no more data.
Reported by Yashashree Gund <yash_gund at live.com>. Closes: #1129722
Fixes CVE-2026-2219.
- dpkg-deb: Refactor ar member size into an intermediate variable.
* Build system:
- Add URL, Maintainer and License fields to .pc file.
* Test suite:
- Add basic Perl taint mode checks.
* Localization:
- Update Dutch translations.
Thanks to Frans Spiesschaert <Frans.Spiesschaert at yucom.be>.
Closes: #1127882, #1127884
- Update Swedish translations.
Thanks to Peter Krefting <peter at softwolves.pp.se>. Closes: #1128529
Date: Sat, 07 Mar 2026 08:47:21 +0100
Changed-By: Matthias Klose <doko at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/dpkg/1.23.6ubuntu1
-------------- next part --------------
Format: 1.8
Date: Sat, 07 Mar 2026 08:47:21 +0100
Source: dpkg
Built-For-Profiles: noudeb
Architecture: source
Version: 1.23.6ubuntu1
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Matthias Klose <doko at ubuntu.com>
Closes: 1126507 1126508 1126558 1126665 1127383 1127882 1127884 1128325 1128406 1128529 1129722
Launchpad-Bugs-Fixed: 2070015 2092676
Changes:
dpkg (1.23.6ubuntu1) resolute; urgency=medium
.
* Merge with Debian; remaining changes:
- Change native source version/format mismatch errors into warnings
until the dust settles on Debian bug 737634 about override options.
- Add DPKG_UNTRANSLATED_MESSAGES environment check so that higher-level
tools can get untranslated dpkg terminal log messages while at the
same time having translated debconf prompts.
- Map unqualified package names of multiarch-same packages to the native
arch instead of throwing an error, so that we don't break on upgrade
when there are unqualified names stored in the dpkg trigger database.
- Apply a workaround from mvo to consider ^rc packages as multiarch,
during the dpkg consistency checks. (see LP: 1015567 and 1057367).
- dpkg-gencontrol: Fix Package-Type override handling for ddeb support.
- scripts/Dpkg/Vendor/Ubuntu.pm, scripts/dpkg-buildpackage.pl: set
'nocheck' in build options by default on Ubuntu/riscv64. Overridable
in debian/rules with
'DEB_BUILD_OPTIONS := $(filter-out nocheck,$(DEB_BUILD_OPTIONS))'.
- dpkg-dev: Depend on lto-disabled-list.
- dpkg-buildflags: Read package source names from lto-disabled-list,
to build without lto optimizations. When adding a source package to the
list, please also file a launchpad issue and tag it with 'lto'.
- scripts/Dpkg/Vendor/Ubuntu.pm: set 'noudeb' build profile by
default. Override this by exporting DEB_BUILD_PROFILE='!noudeb' which
will be stripped, and thus building with udebs.
- build: Switch default dpkg-deb compression from xz to zstd.
Keep compressing dpkg.deb with xz to help bootstrapping on non-Ubuntu
systems.
- set default zstd compression level to 19
- scripts/Dpkg/Vendor/Debian.pm: Always include "-fdebug-prefix-map"
to build flags. Map path to "/usr/src/PKGNAME-PKGVER" instead of
".", honouring the DWARF standard which prohibits relative paths
in DW_AT_comp_dir.
- scripts/{mk/buildflags.mk,t.mk}: Add support for DEB_BUILD_DEBUGPATH.
- man/dpkg-buildflags.pod: Document new behaviour of "fdebugmap" and
new DEB_BUILD_DEBUGPATH variable.
- Disable -fstack-clash-protection on armhf since it causes crashes
- dpkg-buildflags: Add a new feature "framepointer" in the "qa" area.
- Turn on the use of frame pointers by default on 64bit architectures.
- Update _FORTIFY_SOURCE documentation.
- Update Dpkg_BuildFlags test case.
- Fix debian/rules duplicate invocations of dh_builddeb
- lib/dpkg/compress.c: clean up override of the default zstd compression
level
- dpkg-buildflags: Explicitly turn off hardening flags when requested.
- Export environment variables DEB_BUILD_OS_RELEASE_ID, DEB_HOST_ARCH,
DEB_SOURCE, and DEB_VERSION when including buildflags.mk (LP: #2070015)
- buildflags: document RUSTFLAGS
- buildflags: Always set RUSTFLAGS
- tests: avoid failing under DEB_VENDOR != Debian
- dpkg-buildflags: enable ELF package note metadata
- buildflags: set origin of env vars for ELF package metadata
- Export ELF_PACKAGE_METADATA for a build. Picked up by GCC and clang.
Passing -specs explicitly can be dropped in a follow-up upload.
- dpkg-buildflags: set RUSTFLAGS to influence the command line flags cargo
will pass to rustc, and set the flags to include framepointers when the
framepointer feature of the qa area is enabled.
- Disable framepointer on ppc64el.
- Disable framepointer on s390x, leaving only -mbackchain.
- Add a note about different behaviour of dpkg-buildflags with respect to
LTO on Ubuntu.
- dpkg-buildpackage: Construct ELF_PACKAGE_METADATA, and set in the
environment if not already set. This setting is picked up by
GCC and clang, passing a --package-metadata option the the linker.
- Stop passing --specs for metadata information. It's too fragile
and only works for GCC. Also introduces a lot of packaging delta.
- Stop defaulting to -O3 on amd64.
- dpkg-dev: Still prefer gnupg and gpgv over sq.
Introduce architecture variants (thanks to mwhudson for the rebase)
- scripts/dpkg-gencentrol.pl: fix operator precedence.
- Copy across the architecture variant (LP #2128606)
- Drop unused elf-package-metadata specs files
- dpkg-buildflags: set --package-metadata directly in LDFLAGS, and still
set ELF_PACKAGE_METADATA in the environment.
- Include architecture variant in ELF package metadata (LP #2131806)
.
dpkg (1.23.6) unstable; urgency=medium
.
[ Guillem Jover ]
* dpkg-query: Fix segfault with empty -S argument. LP: #2092676
* dpkg-deb: Be more robust against truncated ar archives.
Reported by Yashashree Gund <yash_gund at live.com>.
* dpkg-deb: Reject ar archives with 0 sized tar members.
Reported by Yashashree Gund <yash_gund at live.com>.
* libdpkg, scripts: Detect corrupt ar archive with non-even byte sizes.
* dpkg-source: Fix running from within the source tree.
Reported by Umut <ue16 at gmx.de> (on IRC).
* dpkg-source: Support running --commit from within the source tree w/o
«.». Closes: #1127383
* dpkg-source: Fix format in maintainer error message.
Thanks to Marko Zajc <marko at zajc.tel>.
* dpkg-scanpackages: Add new --no-implicit-arch option. Closes: #1128325
* Perl modules:
- Dpkg::Shlibs::Objdump::Object: Clarify code comment.
- Dpkg::Source::Package::V2: Do not print source root on modified files
list. Closes: #1126558
- Dpkg::Source::Patch: Speed up patched filename retrieval in patches.
- Dpkg::Source::Patch: Add comment about the use of tr{}{} as char counter.
- Dpkg::OpenPGP::Backend::GnuPG: Add missing Dpkg::Gettext import.
Closes: #1128406
- Dpkg::OpenPGP::Backend::GnuPG: Refactor _file_read_header().
- Dpkg::OpenPGP::Backend::GnuPG: Detect and warn on LibrePGP artifacts.
- Dpkg::Email::Address: Warn on email domains with a single label.
Closes: #1126508
- Dpkg::Source::Patch: Fix code comment.
- Dpkg::Source::Patch: Add new has_errors() method.
- Dpkg::Source::Package::V2: Delay unrepresentable error after local
changes list. Closes: #1126665
- Dpkg::Vendor: Fix taint mode in get_vendor_object().
- Dpkg::Compression: Remove deprecated function compression_get_property().
- Dpkg::Archive::Ar: Switch header variables into a hash.
- Dpkg::Archive::Ar: Check that no header field is empty.
* Code internals:
- libdpkg: Use varbuf_str() instead of directly accessing buf.
- scripts: Parse and validate all Changed-By and Maintainer field inputs.
Closes: #1126507
- libdpkg: Terminate zstd decompression when we have no more data.
Reported by Yashashree Gund <yash_gund at live.com>. Closes: #1129722
Fixes CVE-2026-2219.
- dpkg-deb: Refactor ar member size into an intermediate variable.
* Build system:
- Add URL, Maintainer and License fields to .pc file.
* Test suite:
- Add basic Perl taint mode checks.
* Localization:
- Update Dutch translations.
Thanks to Frans Spiesschaert <Frans.Spiesschaert at yucom.be>.
Closes: #1127882, #1127884
- Update Swedish translations.
Thanks to Peter Krefting <peter at softwolves.pp.se>. Closes: #1128529
Checksums-Sha1:
7b50215a6bd8e9c6cc8c8e2f308dcd5724cb7d23 3482 dpkg_1.23.6ubuntu1.dsc
5d8fbf29d6a6e719a9b8b68f2d5ef09853166a99 5774112 dpkg_1.23.6ubuntu1.tar.xz
0488bc7819cfd933cc48f90578d223b1559fdd94 7464 dpkg_1.23.6ubuntu1_source.buildinfo
Checksums-Sha256:
9c7bbc048539833e14bd72dd6b3dc201d634837000134b08dd09438762d0ac1d 3482 dpkg_1.23.6ubuntu1.dsc
4ddf9ae52880852ac6ffb1963b48e308a26e4a1e1b2687131dccb0598dca64a5 5774112 dpkg_1.23.6ubuntu1.tar.xz
a7e8c66a6adef97e9fa966db511ae85eff32a36e4bdadddfd4c28e5ad65246d1 7464 dpkg_1.23.6ubuntu1_source.buildinfo
Files:
e638c42ddbf4742da2338eb8ab30a7f8 3482 admin required dpkg_1.23.6ubuntu1.dsc
3a3565c0782f7e89da2fd00555fe7d60 5774112 admin required dpkg_1.23.6ubuntu1.tar.xz
1781dc39cce689037a1d857efe58219f 7464 admin required dpkg_1.23.6ubuntu1_source.buildinfo
Original-Maintainer: Dpkg Developers <debian-dpkg at lists.debian.org>
More information about the Resolute-changes
mailing list