#2240 Please tag new deltarpm

Created 7 years ago by toshio
Modified a month ago

There's a security vulnerability in deltarpm due to its bundling of zlib. New version of deltarpm built without the included zlib. Here's the bugzilla for the relevant zlib update:

Please tag for F12 release:

deltarpm-3.5-0.2 20090913git.fc12


practically a no-brainer, but gotta ask, any testing of the new build?

No problems. I was putting this in so I don't forget while waiting for jdieter to be available. I don't have enough of an idea of what's involved here to test this fully.

jdieter, after the response from Michael Schroeder, I updated the package. Try this version out when you test, it should avoid some problems with the first build:

deltarpm-3.5-0.4 20090913git.fc12.src.rpm

I've tested makedeltarpm between Fedora rpms compressed with zlib and one zlib <=> xz package. Couldn't find a zlib_rsync package to test.

Tested applydeltarpm and applydeltarpm -r on those rpms successfully.

I've tested deltarpm-3.5-0.4 20090913git.fc12 and it works perfectly under yum-presto, which is obviously the main usage case. If Fedora isn't compressing it's gzip rpms using zlib_rsync, I'm not hugely worried about that usage case (obviously, we want it to either work or bail out nicely, but fixing the security hole is far more important).

As far as I have seen, I'm happy with tagging http://koji.fedoraproject.org/koji/taskinfo?taskID=1721649

a month ago

Metadata Update from @toshio:
- Issue set to the milestone: Fedora 12 Beta

Login to comment on this ticket.