Sign me up Login

Details about package gh

Name:	gh (PTS)
Uploader:	Loren M. Lang <lorenl@north-winds.org> (Debian QA page)
Description:	gh - GitHub CLI, GitHub’s official command line tool

Package uploads

Upload #1

Information

Version:	2.23.0+dfsg1-1.1
Uploaded:	2024-12-29 11:41
Source package:	gh_2.23.0+dfsg1-1.1.dsc
Distribution:	bookworm
Section:	golang
Priority:	optional
Homepage:	https://cli.github.com/
Vcs-Browser:	https://salsa.debian.org/go-team/packages/gh
Vcs-Git:	https://salsa.debian.org/go-team/packages/gh.git
Closes bugs:	#1087883

Changelog

 gh (2.23.0+dfsg1-1.1) bookworm; urgency=medium
 .
   * Non-maintainer upload.
   * Applied patch to fix CVE-2024-52308 (Closes: #1087883)

QA information

–
Package uses debhelper-compat

Debhelper compatibility level 13

–

Newer upstream version available

Local:	2.23.0+dfsg1
Upstream:	2.64.0
Url:	https://github.com/cli/cli/archive/refs/tags/v2.64.0.tar.gz

–
Package is not native

Format: 3.0 (quilt)
–
The uploader is not in the package's "Maintainer" or "Uploaders" fields
User email

lorenl@north-winds.org

"Maintainer" email

team+pkg-go@tracker.debian.org

"Uploaders" emails
- foka@debian.org
–
Package has lintian errors
gh changes
- E bad-distribution-in-changes-file
  - bookworm
gh source
- I anticipated-repack-count
  - 2.23.0+dfsg1-1.1
- I debian-rules-parses-dpkg-parsechangelog
  - [debian/rules:16]
- I missing-built-using-field-for-golang-package
  - (in section for gh) [debian/control:58]
- I out-of-date-standards-version
  - 4.6.2 (released 2022-12-17) (current is 4.7.0)
- X debian-watch-does-not-check-openpgp-signature
  - [debian/watch]
- X prefer-uscan-symlink
  - filenamemangle s%(?:.*?)?v?(\d[\d.]*)%@PACKAGE@-$1.tar.gz% [debian/watch:7]
- X update-debian-copyright
  - 2021 vs 2024 [debian/copyright:12]
- X very-long-line-length-in-source-file
  - 1030 > 512 [debian/go/src/github.com/cli/crypto/xts/xts_test.go:50]
  - 1203 > 512 [debian/go/src/github.com/cli/crypto/ssh/testdata/keys.go:193]
  - 1245 > 512 [debian/go/src/github.com/cli/crypto/openpgp/packet/private_key_test.go:249]
  - 1246 > 512 [debian/go/src/github.com/cli/crypto/openpgp/packet/public_key_test.go:228]
  - 1487 > 512 [pkg/cmd/status/status_test.go:145]
  - 1606 > 512 [debian/go/src/github.com/cli/crypto/ssh/certs_test.go:60]
  - 1984 > 512 [debian/go/src/github.com/cli/crypto/chacha20/vectors_test.go:509]
  - 2125 > 512 [pkg/cmd/workflow/list/list_test.go:244]
  - 3464 > 512 [debian/go/src/github.com/cli/crypto/pkcs12/pkcs12_test.go:91]
  - 517 > 512 [debian/go/src/github.com/cli/crypto/blake2b/blake2b_test.go:846]
  - 517 > 512 [debian/go/src/github.com/cli/crypto/blake2s/blake2s_test.go:1049]
  - 5266 > 512 [debian/go/src/github.com/cli/crypto/openpgp/keys_data_test.go:6]
  - 552 > 512 [debian/go/src/github.com/cli/crypto/ssh/kex.go:704]
  - 552 > 512 [docs/gh-vs-hub.md:7]
  - 5525 > 512 [debian/go/src/github.com/cli/crypto/openpgp/read_test.go:502]
  - 571 > 512 [docs/working-with-us.md:35]
  - 602 > 512 [debian/go/src/github.com/cli/crypto/openpgp/packet/signature_test.go:78]
  - 709 > 512 [debian/go/src/github.com/cli/crypto/openpgp/packet/opaque_test.go:67]
  - 732 > 512 [internal/authflow/success.go:36]
  - 8230 > 512 [debian/go/src/github.com/cli/crypto/chacha20poly1305/chacha20poly1305_vectors_test.go:275]
  - 920 > 512 [debian/go/src/github.com/cli/crypto/otr/otr_test.go:45]
–
Package closes RC bug
- src:gh:
  - #1087883 (Grave): gh: CVE-2024-52308
–
Package is already in Debian
- Detected as a non-maintainer upload
- The package uploader is not currently maintaining gh in Debian
- Last upload was on the 2024-03-27
–
d/copyright is in DEP5 format

Upstream Contact: https://github.com/cli/cli/issues/new

Licenses: Expat, BSD-3-Clause

Comments

Hi,

You seem to trying for a stable release update. See link below.

https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

Always try have conversation with the maintainer where possible. Looking at the link below it is is still unfixed in unstable, where it must be fixed first.

https://security-tracker.debian.org/tracker/CVE-2024-52308

Regards

Phil

Phil Wyett at Dec. 30, 2024, 1:19 a.m.

Thanks for the feedback. I have also uploaded the corresponding update for unstable as well to mentors. I am writing to the maintainer now to discuss the package update and resolution.

Loren M. Lang at Dec. 30, 2024, 9:47 a.m.

Upstream Contact:	https://github.com/cli/cli/issues/new
Licenses:	Expat, BSD-3-Clause