#529540 Please include changelog and copyright after security uploads

Package:
ftp.debian.org
Source:
ftp.debian.org
Submitter:
"Leo L. Schwab"
Date:
2021-09-22 04:30:18 UTC
Severity:
normal
Tags:
#529540#5
Date:
2009-05-19 22:39:39 UTC
From:
To:
	About two weeks ago, a security-related update for 'xpdf' appeared
in aptitude's Security Updates section.  Pressing 'C' to see what the issue
was, aptitude informed me that it couldn't fetch the changelog.  This has
continued to be the case for the last two weeks.

	Just a day or so ago, 'linux-source-2.6.26' appeared in the Security
Updates section, but its changelog is also missing.

	Please investigate this matter.

					Schwab

#529540#10
Date:
2009-06-01 19:07:11 UTC
From:
To:
	Since about the middle of last week, changelogs have been missing from
all package updates arriving in 'unstable'.  Packages that have not been
updated so recently still have changelogs.  It seems as if the act of
updating the package deletes the changelog.

	This is firmly in the "not good" category.  Please investigate.

					Schwab

#529540#15
Date:
2009-07-30 09:39:54 UTC
From:
To:
Hello,

while trying to read the changelog linked to from here:

http://packages.debian.org/lenny/linux-image-2.6.26-2-amd64

(ie, when clicking this link:

http://packages.debian.org/changelogs/pool/main/l/linux-2.6/linux-2.6_2.6.26-17lenny1/changelog
)

I get a 404 error message.


Kind regards,
--Toni++

#529540#20
Date:
2009-08-07 08:17:23 UTC
From:
To:
I also do confirm on this issue, sadly I can't/won't upgrade any packages
without a changelog. It's not that I don't trust the package maintainers but
a missing changelog is a no no.

#529540#25
Date:
2009-08-07 10:46:35 UTC
From:
To:
This is just silly.

The updated package is *not* "missing a changelog", the changelog *is*
included in the package, it's just not published on the website quickly
enough for your liking.

Nobody should depend on changelogs published on the website anyway, but
only on the changelogs actually included with the package.

You can easily review any changes in packages *before* installing them by
using the apt-listchanges package, just configure it to display
changelogs and ask for confirmation afterwards.

And if you also want to check if there are any RC bugs against the package
before installing/upgrading it, install apt-listbugs as well...

Cheers,
FJP

#529540#30
Date:
2009-10-29 22:04:04 UTC
From:
To:
	It's happening again.  This time, the packages affected are:
	- xulrunner-1.9
	- xulrunner-1.9-gnome-support
	- libexpat1-dev
	- libexpat1
	- libmozjs1d

	These are marked as critical security updates, but the changelogs
are completely missing, so I've no idea what was wrong or what's been fixed.

	Please investigate this matter.

					Schwab

#529540#35
Date:
2009-10-30 05:28:33 UTC
From:
To:
	Okay, so, after reading the entire thread on this bug (yes, I should
have done that first), it seems that the changelogs are always present in
the package proper, they're just not always up to date on the server.  The
tone of the response suggests this is considered not a problem.

	I dissent.

	When you press 'C' in aptitude to view the changelog for a package,
aptitude goes to packages.debian.org to snarf it down and show it to you.
This seems a perfectly reasonable way to go about it, and it also seems
perfectly reasonable to want to view the changelog before downloading a
potentially large package update.  However, I confess complete ignorance on
the difficulties of keeping packages.debian.org humming along.

	If it is indeed unreasonable to expect the changelogs on the server
to be in sync with the packages, then should I instead be filing a
enhancement request against 'aptitude', so it will fish the changelog out of
the packages proper?

					Schwab

#529540#42
Date:
2009-12-01 09:12:20 UTC
From:
To:
Hi,

it appears to me that Debian changelogs are not online via the package
pages (eg: http://packages.debian.org/lenny/php-pear  ->
http://packages.debian.org/changelogs/pool/main/p/php5/php5_5.2.6.dfsg.1-1+lenny4/changelog
-> 404 Not Found)

when the current version of the package was a security update. I would
like to know whether this is a bug in the system, or whether this is
intentional. I've just checked against all packages in Lenny which are
mentioned in a security advisory on Debian's home page, and it occurs
for all of them.

FWIW, I don't buy Frans' argument, although his advice mitigates the
issue.


Kind regards,
--Toni++

#529540#47
Date:
2009-12-01 09:58:41 UTC
From:
To:
	Hi!

* Toni Mueller <toni@debian.org> [2009-12-01 10:12:20 CET]:

 This is not intentional but an unfortunate bug that is hard to work
around. packages.debian.org extracts changelogs, copyright files and
similar from the pool. Given that security (and likewise with packages
from debports and backports, just for completeness) is living in a
completely different pool that packages.debian.org doesn't have a direct
access to it's not too easy to fix this issue properly.

 If someone is willing to dig into the issue, help is definitely wanted.
The source code for packages.debian.org can be fetched from this git
repository: <http://git.debian.org/?p=webwml/packages.git;a=summary>
I plan to dig into the packages sources myself within the next weeks but
I can't (and won't) promise anything, especially not within a timely
manner.

 Thanks. :)
Rhonda

#529540#62
Date:
2011-04-09 02:12:26 UTC
From:
To:
	For about the last two weeks, packages receiving updates in the
'unstable' repository have not had their changelogs copied to the
changelogs/pool/... area of packages.debian.org, with the result that
'aptitude' displays a 404 error when asked to display the changelogs of
recently updated packages.

	Example (from unstable/sid as of today):
http://packages.debian.org/changelogs/pool/main/a/aptitude/aptitude_0.6.3-4/changelog

	Not all changelogs are missing; only the ones associated with packages
that have been updated in the last two weeks or so.

	Based on previous commentary on this bug, I'm given to understand there
is some conflict that occasionally makes these missing updates unavoidable.
Any guesstimates on when this current manifestation might clear up?

					Schwab

#529540#67
Date:
2011-04-12 04:26:15 UTC
From:
To:
	Hi!

* Leo L. Schwab <ewhac@ewhac.org> [2011-04-09 04:12:26 CEST]:

 This is a different thing than what is mentioned in the bug you
followed up to. The packages from the regular pool are unaffected by
this bug. The thing you report is actually covered in
http://bugs.debian.org/622224 (which was reported after your mail, so
you couldn't have found it)

 I'm investigating on the issue why the extraction of the changelogs
don't work anymore, though I get the impression that working on closing
this bug would be much more fruitful. I can't figure out in a quick way
why the extraction doesn't work anymore (it might be related to the
latest lenny point release, but even that's uncertain), and as we need
to switch over to use the already extracted files that ftpmasters do
offer us so we can include the changelogs for security and backports
packages, investing time into the rewrite will give the better outcome.

 Though - this will take a bit more time, so I can just ask for a bit
more patient.

 Thanks for understanding,
Rhonda

#529540#72
Date:
2011-04-13 00:54:20 UTC
From:
To:
	Thank you very kindly for your helpful explanation.  My apologies
for posting against the wrong bug; I tried to find the same bug thread I
created the last time this happened (which was around the last major Debian
'stable' release).
	No problem.  Thank you for the reply.

					Schwab

#529540#95
Date:
2021-09-22 04:16:24 UTC
From:
To:
Hello,

Good morning,

We have gone through your samples from a partner and Here is our  Order
List. Please do bear in mind that we are very much in  need of this
order, quote your competitive prices.

Kindly send the Order confirmation.

Your early reply will be much appreciated.

Best Regards,

Maryanah Erwin.

PT FINDORA INTERNUSA

Jln Pahlawan 66 Kec. Arjawinangun

45162 CIREBON West-Java INDONESIA

tel : +62 231 357334

fax: +62 231 357260

email: marketing@findora.com