[packagers] [PATCH 0/2] subversion security fix for CVE-2009-2411

Tom G. Christensen tgc at statsbiblioteket.dk
Mon Oct 5 16:08:41 CEST 2009


Yury V. Zaytsev wrote:
> Hi!
> 
> On Mon, 2009-10-05 at 14:50 +0200, Tom G. Christensen wrote:
> 
>> Note that additional BRs was required for subversion 1.3.2 and that the
>> neon-devel package in rpmforge is broken since it does not pull in neon
>> itself.
> 
> I could have applied this to spare Christoph's time, but it's apparently
> git formatted while we use Subversion and also the patch was broken down
> in several emails. Couldn't you just send the patches and SPEC diff as
> the attachments?
> 
Unless your mailserver mucked with the formatting these patches should 
apply with just 'patch' aswell.
I can make git-format-patch attach the patches instead of sending them 
inline if that would help.

The patches are broken up because they are (naturally) two separate 
commits in my git repository (one for 1.3 and one for 1.4).

Tracking rpmforge with git-svn is very simple and incredibly powerful 
compared to just subversion.
It's just so easy to keep local customization and things you want 
upstream or just rpmforge updates separate.
I know the git package in rpmforge is crap, I have a better one 
(supports el2-5, based on fedora/upstream) which I'll gladly donate to 
rpmforge.

> As for neon, I think Christoph uses some kind of static version bundled
> with the pack. Isn't it the case?
> 
No.
Subversion 1.3.2 builds against http://packages.sw.be/neon/ (which I 
could not immediately find in rpmforge svn) which seems to be a rebuild 
of el4 neon for el3.

-tgc



More information about the packagers mailing list