- Package:
- ftp.debian.org
- Source:
- ftp.debian.org
- Submitter:
- "Leo L. Schwab"
- Date:
- 2021-09-22 04:30:18 UTC
- Severity:
- normal
- Tags:
About two weeks ago, a security-related update for 'xpdf' appeared in aptitude's Security Updates section. Pressing 'C' to see what the issue was, aptitude informed me that it couldn't fetch the changelog. This has continued to be the case for the last two weeks. Just a day or so ago, 'linux-source-2.6.26' appeared in the Security Updates section, but its changelog is also missing. Please investigate this matter. Schwab
Since about the middle of last week, changelogs have been missing from all package updates arriving in 'unstable'. Packages that have not been updated so recently still have changelogs. It seems as if the act of updating the package deletes the changelog. This is firmly in the "not good" category. Please investigate. Schwab
Hello, while trying to read the changelog linked to from here: http://packages.debian.org/lenny/linux-image-2.6.26-2-amd64 (ie, when clicking this link: http://packages.debian.org/changelogs/pool/main/l/linux-2.6/linux-2.6_2.6.26-17lenny1/changelog ) I get a 404 error message. Kind regards, --Toni++
I also do confirm on this issue, sadly I can't/won't upgrade any packages without a changelog. It's not that I don't trust the package maintainers but a missing changelog is a no no.
This is just silly. The updated package is *not* "missing a changelog", the changelog *is* included in the package, it's just not published on the website quickly enough for your liking. Nobody should depend on changelogs published on the website anyway, but only on the changelogs actually included with the package. You can easily review any changes in packages *before* installing them by using the apt-listchanges package, just configure it to display changelogs and ask for confirmation afterwards. And if you also want to check if there are any RC bugs against the package before installing/upgrading it, install apt-listbugs as well... Cheers, FJP
It's happening again. This time, the packages affected are: - xulrunner-1.9 - xulrunner-1.9-gnome-support - libexpat1-dev - libexpat1 - libmozjs1d These are marked as critical security updates, but the changelogs are completely missing, so I've no idea what was wrong or what's been fixed. Please investigate this matter. Schwab
Okay, so, after reading the entire thread on this bug (yes, I should have done that first), it seems that the changelogs are always present in the package proper, they're just not always up to date on the server. The tone of the response suggests this is considered not a problem. I dissent. When you press 'C' in aptitude to view the changelog for a package, aptitude goes to packages.debian.org to snarf it down and show it to you. This seems a perfectly reasonable way to go about it, and it also seems perfectly reasonable to want to view the changelog before downloading a potentially large package update. However, I confess complete ignorance on the difficulties of keeping packages.debian.org humming along. If it is indeed unreasonable to expect the changelogs on the server to be in sync with the packages, then should I instead be filing a enhancement request against 'aptitude', so it will fish the changelog out of the packages proper? Schwab
Hi, it appears to me that Debian changelogs are not online via the package pages (eg: http://packages.debian.org/lenny/php-pear -> http://packages.debian.org/changelogs/pool/main/p/php5/php5_5.2.6.dfsg.1-1+lenny4/changelog -> 404 Not Found) when the current version of the package was a security update. I would like to know whether this is a bug in the system, or whether this is intentional. I've just checked against all packages in Lenny which are mentioned in a security advisory on Debian's home page, and it occurs for all of them. FWIW, I don't buy Frans' argument, although his advice mitigates the issue. Kind regards, --Toni++
Hi! * Toni Mueller <toni@debian.org> [2009-12-01 10:12:20 CET]: This is not intentional but an unfortunate bug that is hard to work around. packages.debian.org extracts changelogs, copyright files and similar from the pool. Given that security (and likewise with packages from debports and backports, just for completeness) is living in a completely different pool that packages.debian.org doesn't have a direct access to it's not too easy to fix this issue properly. If someone is willing to dig into the issue, help is definitely wanted. The source code for packages.debian.org can be fetched from this git repository: <http://git.debian.org/?p=webwml/packages.git;a=summary> I plan to dig into the packages sources myself within the next weeks but I can't (and won't) promise anything, especially not within a timely manner. Thanks. :) Rhonda
For about the last two weeks, packages receiving updates in the 'unstable' repository have not had their changelogs copied to the changelogs/pool/... area of packages.debian.org, with the result that 'aptitude' displays a 404 error when asked to display the changelogs of recently updated packages. Example (from unstable/sid as of today): http://packages.debian.org/changelogs/pool/main/a/aptitude/aptitude_0.6.3-4/changelog Not all changelogs are missing; only the ones associated with packages that have been updated in the last two weeks or so. Based on previous commentary on this bug, I'm given to understand there is some conflict that occasionally makes these missing updates unavoidable. Any guesstimates on when this current manifestation might clear up? Schwab
Hi! * Leo L. Schwab <ewhac@ewhac.org> [2011-04-09 04:12:26 CEST]: This is a different thing than what is mentioned in the bug you followed up to. The packages from the regular pool are unaffected by this bug. The thing you report is actually covered in http://bugs.debian.org/622224 (which was reported after your mail, so you couldn't have found it) I'm investigating on the issue why the extraction of the changelogs don't work anymore, though I get the impression that working on closing this bug would be much more fruitful. I can't figure out in a quick way why the extraction doesn't work anymore (it might be related to the latest lenny point release, but even that's uncertain), and as we need to switch over to use the already extracted files that ftpmasters do offer us so we can include the changelogs for security and backports packages, investing time into the rewrite will give the better outcome. Though - this will take a bit more time, so I can just ask for a bit more patient. Thanks for understanding, Rhonda
Thank you very kindly for your helpful explanation. My apologies for posting against the wrong bug; I tried to find the same bug thread I created the last time this happened (which was around the last major Debian 'stable' release). No problem. Thank you for the reply. Schwab
Hello, Good morning, We have gone through your samples from a partner and Here is our Order List. Please do bear in mind that we are very much in need of this order, quote your competitive prices. Kindly send the Order confirmation. Your early reply will be much appreciated. Best Regards, Maryanah Erwin. PT FINDORA INTERNUSA Jln Pahlawan 66 Kec. Arjawinangun 45162 CIREBON West-Java INDONESIA tel : +62 231 357334 fax: +62 231 357260 email: marketing@findora.com