[opensuse-security] [11.1] Wireshark security update has a strange version number
Hi there, I stumbled across this because I'm used to use apt-get for installing and updating packages. With a default configuration (just the RPMs from the DVD9 media linked into one RPMS.oss directory and the OS-11.1 updates repository as another installation source), it offers me to "update" the wireshark package. What's strange with this is, that this security update has version 1.0.4-2.1 while the original one from the installation DVD has version 1.0.4-2.5 So, I could work-around this by creating an entry in /etc/apt/preferences (similar to zypper's priority and locks mechanisms), but to me this sounds wrong. Shouldn't have an update package _always_ have a version number than its preceeding package, i.e. the one that the update should replace?!?! FWIW, I extracted both RPMs and compared the resulting directories, and there are indeed differences: # diff -rcp wireshark-1.0.4-2.1 wireshark-1.0.4-2.5 Files wireshark-1.0.4-2.1/usr/lib/libwireshark.so.0 and wireshark-1.0.4-2.5/usr/lib/libwireshark.so.0 differ Files wireshark-1.0.4-2.1/usr/lib/libwireshark.so.0.0.1 and wireshark-1.0.4-2.5/usr/lib/libwireshark.so.0.0.1 differ Files wireshark-1.0.4-2.1/usr/share/man/man1/wireshark.1.gz and wireshark-1.0.4-2.5/usr/share/man/man1/wireshark.1.gz differ Files wireshark-1.0.4-2.1/usr/share/man/man4/wireshark-filter.4.gz and wireshark-1.0.4-2.5/usr/share/man/man4/wireshark-filter.4.gz differ Don't get me wrong, I'm not arguing that apt-get is better than zypper (in fact, zypper is much better than apt-get in the meantime, but there's a lot of legacy repositories I have created myself... and as long I'm still using older SUSE versions like SLES 10, openSUSE 10.3, there's not really an option to switch over to zypper completely yet), but shouldn't the build service ensure, that an updated package will get a monotonously increasing version number? And, shouldn't this "wireshark security update" be re-built with a proper version number? BTW, why have glibc and glibc-devel differing version numbers on i586 and i686? These are the packages on the DVD: i586/glibc-2.9-2.8.i586.rpm i586/glibc-devel-2.9-2.8.i586.rpm i686/glibc-2.9-2.3.i686.rpm i686/glibc-devel-2.9-2.3.i686.rpm This would lead to an "update" for glibc using apt-get as well... Architectural "compatible" packages should have identical version numbers, shouldn't they? TIA, cheers. l8er manfred
On Tue, Jan 13, 2009 at 10:10:49AM +0100, Manfred Hollstein wrote:
Hi there,
I stumbled across this because I'm used to use apt-get for installing and updating packages. With a default configuration (just the RPMs from the DVD9 media linked into one RPMS.oss directory and the OS-11.1 updates repository as another installation source), it offers me to "update" the wireshark package.
What's strange with this is, that this security update has version
1.0.4-2.1
while the original one from the installation DVD has version
1.0.4-2.5
So, I could work-around this by creating an entry in /etc/apt/preferences (similar to zypper's priority and locks mechanisms), but to me this sounds wrong. Shouldn't have an update package _always_ have a version number than its preceeding package, i.e. the one that the update should replace?!?! FWIW, I extracted both RPMs and compared the resulting directories, and there are indeed differences:
Of course... It is a bug in the patch building engine which got changed for 11.1 We fixed the other affected updates already, I just approved the fixed wireshark.
but shouldn't the build service ensure, that an updated package will get a monotonously increasing version number? And, shouldn't this "wireshark security update" be re-built with a proper version number?
Yes, it was.
BTW, why have glibc and glibc-devel differing version numbers on i586 and i686? These are the packages on the DVD:
i586/glibc-2.9-2.8.i586.rpm i586/glibc-devel-2.9-2.8.i586.rpm i686/glibc-2.9-2.3.i686.rpm i686/glibc-devel-2.9-2.3.i686.rpm
This would lead to an "update" for glibc using apt-get as well... Architectural "compatible" packages should have identical version numbers, shouldn't they?
Different problem... No idea. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hi Marcus, On Tue, 13 Jan 2009, 10:13:46 +0100, Marcus Meissner wrote:
On Tue, Jan 13, 2009 at 10:10:49AM +0100, Manfred Hollstein wrote:
[...] So, I could work-around this by creating an entry in /etc/apt/preferences (similar to zypper's priority and locks mechanisms), but to me this sounds wrong. Shouldn't have an update package _always_ have a version number than its preceeding package, i.e. the one that the update should replace?!?! FWIW, I extracted both RPMs and compared the resulting directories, and there are indeed differences:
Of course... It is a bug in the patch building engine which got changed for 11.1
We fixed the other affected updates already, I just approved the fixed wireshark.
Thanks, I just installed the update; so, this problem is solved ;-)
BTW, why have glibc and glibc-devel differing version numbers on i586 and i686? These are the packages on the DVD:
i586/glibc-2.9-2.8.i586.rpm i586/glibc-devel-2.9-2.8.i586.rpm i686/glibc-2.9-2.3.i686.rpm i686/glibc-devel-2.9-2.3.i686.rpm
This would lead to an "update" for glibc using apt-get as well... Architectural "compatible" packages should have identical version numbers, shouldn't they?
Different problem... No idea.
Hmm, as it _is_ annoying, should I bugzilla this?
Ciao, Marcus
Cheers. l8er manfred
On Tue, Jan 13, 2009 at 11:26:25AM +0100, Manfred Hollstein wrote:
Hi Marcus,
On Tue, 13 Jan 2009, 10:13:46 +0100, Marcus Meissner wrote:
On Tue, Jan 13, 2009 at 10:10:49AM +0100, Manfred Hollstein wrote:
[...] So, I could work-around this by creating an entry in /etc/apt/preferences (similar to zypper's priority and locks mechanisms), but to me this sounds wrong. Shouldn't have an update package _always_ have a version number than its preceeding package, i.e. the one that the update should replace?!?! FWIW, I extracted both RPMs and compared the resulting directories, and there are indeed differences:
Of course... It is a bug in the patch building engine which got changed for 11.1
We fixed the other affected updates already, I just approved the fixed wireshark.
Thanks, I just installed the update; so, this problem is solved ;-)
BTW, why have glibc and glibc-devel differing version numbers on i586 and i686? These are the packages on the DVD:
i586/glibc-2.9-2.8.i586.rpm i586/glibc-devel-2.9-2.8.i586.rpm i686/glibc-2.9-2.3.i686.rpm i686/glibc-devel-2.9-2.3.i686.rpm
This would lead to an "update" for glibc using apt-get as well... Architectural "compatible" packages should have identical version numbers, shouldn't they?
Different problem... No idea.
Hmm, as it _is_ annoying, should I bugzilla this?
Yes. But I think its not changeable anymore since the media are frozen. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Tue, 13 Jan 2009, 11:27:23 +0100, Marcus Meissner wrote:
On Tue, Jan 13, 2009 at 11:26:25AM +0100, Manfred Hollstein wrote:
On Tue, 13 Jan 2009, 10:13:46 +0100, Marcus Meissner wrote:
On Tue, Jan 13, 2009 at 10:10:49AM +0100, Manfred Hollstein wrote:
[...] BTW, why have glibc and glibc-devel differing version numbers on i586 and i686? These are the packages on the DVD:
i586/glibc-2.9-2.8.i586.rpm i586/glibc-devel-2.9-2.8.i586.rpm i686/glibc-2.9-2.3.i686.rpm i686/glibc-devel-2.9-2.3.i686.rpm
This would lead to an "update" for glibc using apt-get as well... Architectural "compatible" packages should have identical version numbers, shouldn't they?
Different problem... No idea.
Hmm, as it _is_ annoying, should I bugzilla this?
Yes. But I think its not changeable anymore since the media are frozen.
Thx, this is https://bugzilla.novell.com/show_bug.cgi?id=465662
Ciao, Marcus
Cheers. l8er manfred
participants (2)
-
Manfred Hollstein -
Marcus Meissner