I saw the bug has been closed. Great work, Olek!By the way, I have bumped the version to 4.1.0. Two additional patches are needed: one to remove "bazel_skylib" dependency introduced by a "darwin-arm64" workaround and one to use Debian-provided "rxjava". The later one can be sent to upstream, and the first one is going to stay until we got the "bazel_skylib" ready.
Please review the changes when you have time. I am still working on the d/copyright stuff you mentioned, but I am not able to commit much time near the end of quarter. Hopefully someone else can help me with that.
Yun, can you take a look at the "rxjava" patch? I can open a PR if it is good.
FYI: As I haven't updated the "pristine-tar" and "upstream" branches of our main repo yet (I'd like to leave them to Olek), the CI would always fail with "uscan error: unzip binary not found". Plus, it seems that Salsa no longer runs CI on personal repos.
Thanks, Jesse. On 5/31/2021 8:17 AM, Yun Peng wrote:
Thanks, Olek!Looks like the bug is fixed in the latest release of google-oauth-client. Does this mean we just need to upgrade its version in Debian?Please let me know if I can help with anything!On Sun, May 30, 2021 at 6:32 PM Olek Wojnar <olek@debian.org <mailto:olek@debian.org>> wrote:Debian Bazel Team, It just came to my attention that there is a Release Critical Security Bug against the google-oauth-client-java package. [1] If not fixed quickly, this will result in the removal of that package as well as its dependencies (google-api-client-java and bazel-bootstrap). Fixing this is now my #1 priority. I'll update this list with progress. -Olek [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988944 <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988944>
Attachment:
OpenPGP_0xA102C2F15053B4F7.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature