broken tarball export for 3.1.31 #325
Labels
waiting
Waiting for answer
Comments
|
I just saw that composer.json gets also excluded from the tarball export. For the Debian packaging, I actually need that file. Please revert that change in .gitattributes and include composer.json. Thanks! |
|
|
|
@wisskid: in the Debian smarty3 package, I rebuild the lexer stuff using smarty-lexer. For that, I need the content of the lexer/ subfolder. The pre-build lexer (and parser) .php files are considered machine-built in Debian and must not be part of some source code. |
|
I see! I'll re-add them, add |
balabit-sync
pushed a commit
to balabit-deps/balabit-os-8-smarty3
that referenced
this issue
Nov 11, 2022
smarty3 (3.1.34+20190228.1.c9f0de05+selfpack1-1) unstable; urgency=medium
* New upstream release.
* debian/control:
+ Bump Standards-Version: to 4.4.1. No changes needed.
+ Add Rules-Requires-Root: field and set it to "no".
* debian/{control,compat}:
+ Switch to debhelper-compat notation. Bump DH comat level to version 12.
smarty3 (3.1.33+20180830.1.3a78a21f+selfpack1-1) unstable; urgency=medium
* New upstream release.
- CVE-2018-16831: Don't bypass trusted directories with "../". (Closes:
#908698).
* debian/control:
+ Bump Standards-Version: to 4.2.1. No changes needed.
smarty3 (3.1.32+20180424.1.ac9d4b58+selfpack1-1) unstable; urgency=medium
* New upstream release.
* debian/*: White-space clean-up at EOL.
* debian/patches:
+ Drop 0001_CVE-2017-1000480.patch. Applied upstream.
* debian/rules:
+ Avoid using dpkg-parsechangelog.
* debian/copyright:
+ Update copyright attributions.
+ Use secure URI to obtain copyright references.
+ Add global Comment: field. Explain about brokenness of upstream tarballs.
* debian/control:
+ Update Vcs-*: fields. Packaging Git has been migrated to
salsa.debian.org.
+ Bump Standards-Version: to 4.1.4. No changes needed.
* debian/{control,compat}:
+ Bump DH version level to 11.
smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-3) unstable; urgency=medium
* debian/patches:
+ Add 0001_CVE-2017-1000480.patch. Fixes CVE-2017-1000480. (Closes:
#886460).
smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-2) unstable; urgency=medium
* Re-upload to Debian unstable to enforce package rebuild (as we don't
have binNMUs for arch:all packages).
* debian/control:
+ Update versioned B-D on smarty-lexer (>= 3.1.30+dfsg1-1.1~).
This is to assure correct lexer/parser generation which was broken by
smarty-lexer 3.1.30+dfsg1-1. See Debian bug #847571 for further
reference.
smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-1) unstable; urgency=medium
* New upstream release.
* debian/rules:
+ Self-pack orig tarball from Git commit, due to broken upstream
tarball generation on Github. For details see:
smarty-php/smarty#325
* debian/copyright:
+ Update copyright attributions.
smarty3 (3.1.30-1) unstable; urgency=medium
* Upload to unstable.
* Update versioned B-D:
+ smarty-lexert (>= 3.1.30+dfsg1-1~).
smarty3 (3.1.30-1~exp1) experimental; urgency=medium
* New upstream release. Upload to experimental for testing with
GOsa, FusionDirectory and other web portals that depend on Smarty3.
* debian/copyright:
+ Update copyright attributions.
smarty3 (3.1.29-2) unstable; urgency=medium
* Re-upload unchanged to unstable.
smarty3 (3.1.29-1) experimental; urgency=medium
* New upstream release. (Closes: #825250).
* debian/smarty3-lexer:
+ Remove shipped-with .plex and .y files for template and configfile
parser/lexer. This version uses smarty-lexer src:package at build
time instead.
* debian/control:
+ Add B-D pkg-php-tools (for dh_phpcomposer)
+ Versioned B-D: debhelper (>= 9).
+ Use encrypted URLs for Vcs-*: field.
+ Bump Standards: to 3.9.8. No changes needed.
* debian/{control,rules}:
+ Create internal lexer and parser PHP code at package build time (using
B-D smarty-lexer). (Closes: #765730). This also solves issues in Debian
package smarty3 3.1.21-1 caused by lexer/parser PHP files using the old
trigger_error class API of Smarty.class.php. (Closes: #799282).
* debian/smarty3.{install,docs}:
+ Use debhelper for installing bin:package files.
* debian/compat:
+ Bump to DH version level 9.
* debian/watch:
+ Upstream location has changed, now on Github.
* debian/rules:
+ Use pure debhelper, with phpcomposer.
+ Make package build idempotent.
* debian/copyright:
+ Update copyright attributions.
smarty3 (3.1.21-1.1) unstable; urgency=medium
* Non-maintainer upload in coordination with the maintainer.
* Update depends and README.Debian for the php 7.0 transition. Thanks to
Wolfgang Schweer for the patch! (Closes: #821660)
smarty3 (3.1.21-1) unstable; urgency=medium
* New upstream release. (Closes: #765920).
* debian/smarty3-lexer:
+ Add 4 files from smarty3 SVN that are used to generate some PHP
files in the upstream tarball. See README.lexer for details.
(Closes: #636148).
* debian/copyright:
+ Add copyright information for debian/smarty3-lexer/*.
+ Fix upstream license (LGPL-3 -> LGPL-3+) after reading the upstream-
shipped COPYING.lib file more thoroughly.
+ Relicense debian/* under same license as upstream sources (LGPL-3+).
* debian/control:
+ Bump Standards: to 3.9.6. No changes needed.
smarty3 (3.1.19-1) unstable; urgency=medium
* New upstream release.
+ Obtain upstream sources as zip files from upstream. Stop checking out
SVN tags. This change drops three embedded PHP libraries and files with
problematic PHP licenses. (Closes: #752614).
* debian/control:
+ Alioth-canonicalize Vcs-Git field.
+ Bump Standards: to 3.9.5. No changes needed.
* lintian:
+ Drop unused override: embedded-php-library.
smarty3 (3.1.13-1) unstable; urgency=low
* New upstream release.
* /debian/control:
+ Use my DD address in Maintainer: field.
+ Bump Standards: to 3.9.4. No changes needed.
* /debian/patches:
+ Drop patch: 001_escape-smarty-exception-messages.patch, included in new
upstream release.
smarty3 (3.1.10-2) unstable; urgency=low
* Fix CVE-2012-4437: Add patch 001_escape-smarty-exception-messages.patch.
Closes: #688153.
smarty3 (3.1.10-1) unstable; urgency=low
* New upstream release. Closes: #678095.
smarty3 (3.1.8-2) unstable; urgency=low
* Package smarty3 provides smarty (closes: #657536).
* Make /debian/copyright machine parsable, explicitly names files that
have dissenting licenses, license /debian folder under GPLv2+.
smarty3 (3.1.8-1) experimental; urgency=low
* New upstream release (rev. 4611).
* New package maintainer (closes: #668200).
* Add watch file (closes: #657385).
* Add Vcs-* lines to control file.
* Add README.source that explains how we obtain code from
upstream SVN. Make sure all upstream source files are
shipped with the Debian source package (closes: #636148).
smarty3 (3.1.0-1) experimental; urgency=low
* New upstream release (rev. 4284)
* Used the code source from subversion (Closes: #636148)
* debian/copyright:
+ added LexerGenerator copyright
+ added ParserGenerator copyright
* Fixed security holes:
+ multiple unspecified vulnerabilities (CVE-2009-5052, CVE-2009-5053,
CVE-2010-4722, CVE-2010-4724, CVE-2010-4726)
+ not consider the umask value when setting the permissions of files
(CVE-2009-5054)
+ not prevent access to the dynamic and private object members of an
assigned object (CVE-2010-4723)
+ not properly handle an on value of the asp_tags option in the php.ini file
(CVE-2010-4725)
+ not properly handle the <?php and ?> tags (CVE-2010-4727)
smarty3 (3.0.8-1) unstable; urgency=low
* New upstream release (Closes: #631619)
* Bumped Standards-Version to 3.9.2
* Updated licence to LGPL-3
smarty3 (3.0~rc1-2) unstable; urgency=low
* Bumped Standards-Version to 3.9.1
* Removed debian/watch
smarty3 (3.0~rc1-1) unstable; urgency=low
* Initial release (Closes: #580754)
balabit-sync
pushed a commit
to balabit-deps/balabit-os-9-smarty3
that referenced
this issue
Nov 14, 2022
smarty3 (3.1.39-2ubuntu1) jammy; urgency=medium
* SECURITY UPDATE: execution of restricted php methods
- debian/patches/CVE-2021-21408.patch: Prevent evasion of the
static_classes security policy in
lexer/smarty_internal_templateparser.y and
libs/sysplugins/smarty_internal_templateparser.php.
- CVE-2021-21408
* SECURITY UPDATE: code injection through math function
- debian/patches/CVE-2021-29454-1.patch: verify if the input to
the math function is a mathematical expression in
libs/plugins/function.math.php.
- debian/patches/CVE-2021-29454-2.patch: fix to support multiple
operators in math equations in
libs/plugins/function.math.php.
- debian/patches/CVE-2021-29454-3.patch: fix to allow multiple
parameters in mathematical functions in
libs/plugins/function.math.php.
- CVE-2021-29454
* Fix for compatibility with php 8.1.
- debian/patches/php8-1compatibility.patch
smarty3 (3.1.39-2) unstable; urgency=medium
* debian/watch:
+ Fix Github watch URL.
smarty3 (3.1.39-1) unstable; urgency=medium
* New upstream release.
* debian/copyright:
+ Update copyright attributions.
smarty3 (3.1.38-1) unstable; urgency=medium
* New upstream release.
* debian/patches:
+ Drop 0001_bring-lexer-source-functionally-up-to-date.patch. Applied
upstream.
smarty3 (3.1.36-2) unstable; urgency=medium
* debian/control:
+ Update versioned B-D on smarty-lexer to (>= 3.1.32+dfsg1-3~).
* debian/patches:
+ Add 0001_bring-lexer-source-functionally-up-to-date.patch. Bring
lexer source functionally up-to-date with (manually edited) compiled
version. (Closes: #977604).
* debian/watch:
+ Switch to format version 4.
smarty3 (3.1.36-1) unstable; urgency=medium
* New upstream release.
* debian/rules:
+ Stop creating Git snapshots, use upstream orig tarballs (generated from
Github tags) instead.
+ Upstream changelog has been renamed to CHANGELOG.md.
* debian/copyright:
+ Update copyright attributions.
+ Drop global Comment: field. No tarball repacking anymore.
* debian/control:
+ Bump Standards-Version: to 4.5.1. No changes needed.
+ Bump DH compat level to version 13.
* debian/upstream/metadata:
+ Add file. Comply with DEP-12.
smarty3 (3.1.34+20190228.1.c9f0de05+selfpack1-1) unstable; urgency=medium
* New upstream release.
* debian/control:
+ Bump Standards-Version: to 4.4.1. No changes needed.
+ Add Rules-Requires-Root: field and set it to "no".
* debian/{control,compat}:
+ Switch to debhelper-compat notation. Bump DH comat level to version 12.
smarty3 (3.1.33+20180830.1.3a78a21f+selfpack1-1) unstable; urgency=medium
* New upstream release.
- CVE-2018-16831: Don't bypass trusted directories with "../". (Closes:
#908698).
* debian/control:
+ Bump Standards-Version: to 4.2.1. No changes needed.
smarty3 (3.1.32+20180424.1.ac9d4b58+selfpack1-1) unstable; urgency=medium
* New upstream release.
* debian/*: White-space clean-up at EOL.
* debian/patches:
+ Drop 0001_CVE-2017-1000480.patch. Applied upstream.
* debian/rules:
+ Avoid using dpkg-parsechangelog.
* debian/copyright:
+ Update copyright attributions.
+ Use secure URI to obtain copyright references.
+ Add global Comment: field. Explain about brokenness of upstream tarballs.
* debian/control:
+ Update Vcs-*: fields. Packaging Git has been migrated to
salsa.debian.org.
+ Bump Standards-Version: to 4.1.4. No changes needed.
* debian/{control,compat}:
+ Bump DH version level to 11.
smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-3) unstable; urgency=medium
* debian/patches:
+ Add 0001_CVE-2017-1000480.patch. Fixes CVE-2017-1000480. (Closes:
#886460).
smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-2) unstable; urgency=medium
* Re-upload to Debian unstable to enforce package rebuild (as we don't
have binNMUs for arch:all packages).
* debian/control:
+ Update versioned B-D on smarty-lexer (>= 3.1.30+dfsg1-1.1~).
This is to assure correct lexer/parser generation which was broken by
smarty-lexer 3.1.30+dfsg1-1. See Debian bug #847571 for further
reference.
smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-1) unstable; urgency=medium
* New upstream release.
* debian/rules:
+ Self-pack orig tarball from Git commit, due to broken upstream
tarball generation on Github. For details see:
smarty-php/smarty#325
* debian/copyright:
+ Update copyright attributions.
smarty3 (3.1.30-1) unstable; urgency=medium
* Upload to unstable.
* Update versioned B-D:
+ smarty-lexert (>= 3.1.30+dfsg1-1~).
smarty3 (3.1.30-1~exp1) experimental; urgency=medium
* New upstream release. Upload to experimental for testing with
GOsa, FusionDirectory and other web portals that depend on Smarty3.
* debian/copyright:
+ Update copyright attributions.
smarty3 (3.1.29-2) unstable; urgency=medium
* Re-upload unchanged to unstable.
smarty3 (3.1.29-1) experimental; urgency=medium
* New upstream release. (Closes: #825250).
* debian/smarty3-lexer:
+ Remove shipped-with .plex and .y files for template and configfile
parser/lexer. This version uses smarty-lexer src:package at build
time instead.
* debian/control:
+ Add B-D pkg-php-tools (for dh_phpcomposer)
+ Versioned B-D: debhelper (>= 9).
+ Use encrypted URLs for Vcs-*: field.
+ Bump Standards: to 3.9.8. No changes needed.
* debian/{control,rules}:
+ Create internal lexer and parser PHP code at package build time (using
B-D smarty-lexer). (Closes: #765730). This also solves issues in Debian
package smarty3 3.1.21-1 caused by lexer/parser PHP files using the old
trigger_error class API of Smarty.class.php. (Closes: #799282).
* debian/smarty3.{install,docs}:
+ Use debhelper for installing bin:package files.
* debian/compat:
+ Bump to DH version level 9.
* debian/watch:
+ Upstream location has changed, now on Github.
* debian/rules:
+ Use pure debhelper, with phpcomposer.
+ Make package build idempotent.
* debian/copyright:
+ Update copyright attributions.
smarty3 (3.1.21-1.1) unstable; urgency=medium
* Non-maintainer upload in coordination with the maintainer.
* Update depends and README.Debian for the php 7.0 transition. Thanks to
Wolfgang Schweer for the patch! (Closes: #821660)
smarty3 (3.1.21-1) unstable; urgency=medium
* New upstream release. (Closes: #765920).
* debian/smarty3-lexer:
+ Add 4 files from smarty3 SVN that are used to generate some PHP
files in the upstream tarball. See README.lexer for details.
(Closes: #636148).
* debian/copyright:
+ Add copyright information for debian/smarty3-lexer/*.
+ Fix upstream license (LGPL-3 -> LGPL-3+) after reading the upstream-
shipped COPYING.lib file more thoroughly.
+ Relicense debian/* under same license as upstream sources (LGPL-3+).
* debian/control:
+ Bump Standards: to 3.9.6. No changes needed.
smarty3 (3.1.19-1) unstable; urgency=medium
* New upstream release.
+ Obtain upstream sources as zip files from upstream. Stop checking out
SVN tags. This change drops three embedded PHP libraries and files with
problematic PHP licenses. (Closes: #752614).
* debian/control:
+ Alioth-canonicalize Vcs-Git field.
+ Bump Standards: to 3.9.5. No changes needed.
* lintian:
+ Drop unused override: embedded-php-library.
smarty3 (3.1.13-1) unstable; urgency=low
* New upstream release.
* /debian/control:
+ Use my DD address in Maintainer: field.
+ Bump Standards: to 3.9.4. No changes needed.
* /debian/patches:
+ Drop patch: 001_escape-smarty-exception-messages.patch, included in new
upstream release.
smarty3 (3.1.10-2) unstable; urgency=low
* Fix CVE-2012-4437: Add patch 001_escape-smarty-exception-messages.patch.
Closes: #688153.
smarty3 (3.1.10-1) unstable; urgency=low
* New upstream release. Closes: #678095.
smarty3 (3.1.8-2) unstable; urgency=low
* Package smarty3 provides smarty (closes: #657536).
* Make /debian/copyright machine parsable, explicitly names files that
have dissenting licenses, license /debian folder under GPLv2+.
smarty3 (3.1.8-1) experimental; urgency=low
* New upstream release (rev. 4611).
* New package maintainer (closes: #668200).
* Add watch file (closes: #657385).
* Add Vcs-* lines to control file.
* Add README.source that explains how we obtain code from
upstream SVN. Make sure all upstream source files are
shipped with the Debian source package (closes: #636148).
smarty3 (3.1.0-1) experimental; urgency=low
* New upstream release (rev. 4284)
* Used the code source from subversion (Closes: #636148)
* debian/copyright:
+ added LexerGenerator copyright
+ added ParserGenerator copyright
* Fixed security holes:
+ multiple unspecified vulnerabilities (CVE-2009-5052, CVE-2009-5053,
CVE-2010-4722, CVE-2010-4724, CVE-2010-4726)
+ not consider the umask value when setting the permissions of files
(CVE-2009-5054)
+ not prevent access to the dynamic and private object members of an
assigned object (CVE-2010-4723)
+ not properly handle an on value of the asp_tags option in the php.ini file
(CVE-2010-4725)
+ not properly handle the <?php and ?> tags (CVE-2010-4727)
smarty3 (3.0.8-1) unstable; urgency=low
* New upstream release (Closes: #631619)
* Bumped Standards-Version to 3.9.2
* Updated licence to LGPL-3
smarty3 (3.0~rc1-2) unstable; urgency=low
* Bumped Standards-Version to 3.9.1
* Removed debian/watch
smarty3 (3.0~rc1-1) unstable; urgency=low
* Initial release (Closes: #580754)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I just wanted to upload smarty 3.1.31-1 to Debian unstable, but the tarball as exported by Github is defect:
In commit beeec36#diff-fc723d30b02a4cca7a534518111c1a66. the lexer/ subfolder is marked as
However, this folder is essential for building smarty. Do you see a chance to get this fixed on Github and tag a 3.1.32 (or 3.1.31a) release? If not, I have to import those files manually into the Debian package which I'd like to avoid.
Feedback within the next 2 weeks is necessary to get the 3.1.31 upstream version into Debian 9 (we are in freeze already).
Thanks and Greets,
Mike
The text was updated successfully, but these errors were encountered: