Backporting dar is quite simple - you just need to recompile the Lenny version in a Etch environment. It's a nice occasion to cover the very basics.
You need to modify
debian/changelog though. Enter the
freetype-2.3.5 directory, and type:
If you want to use another editor, you can also:
EDITOR=emacs dch -i
Here's my final changelog entry:
freetype (2.3.5-1~bpo40+1) etch-backports; urgency=low * Rebuild for Debian Backports <http://www.backports.org/> (new version works with SDL_ttf, previous one was buggy) -- Sylvain Beucler <email@example.com> Mon, 10 Dec 2007 12:46:10 +0100
What did I do?
- Changed version according to bpo convention,
- the testing version was: 2.3.5-1
dchproposes by default
- I use
ORIGINALVERSION~bpoDEBIANVERSION+BACKPORTVERSION: 2.3.5-1~bpo40+1 (Etch is version 4.0)
- Changed distribution from
- Added a terse explanation
- Check my mail adress.
To generate the initial changelog entry template automagically, madduck suggests using
dch -D etch-backports -b -v$(dpkg-parsechangelog | sed -ne 's,^Version: ,,p')~bpo40+1 -- \ "Rebuild for Debian Backports <http://www.backports.org/>"
Also add your name in
Uploaders: ..., Sylvain Beucler <firstname.lastname@example.org>
so the package will appear in your QA page.
Then, in the
freetype-2.3.5 directory, start the compilation.
debuild -us -uc
-sa debuild option: not necessary: by default, if the version ends with '0' or '1' (as 'bpo40+1' does), dpkg-buildpackage uses the existing source release (the .orig.tar.gz file must be present in the parent directory, though).
Now you can test your dar package:
sudo dpkg -i libfreetype6_2.3.5-1~bpo40+1_i386.deb
Check your changes
Check your changes using
mkdir tmp cd tmp cp ../freetype*.diff.gz . gunzip * interdiff freetype_2.3.5-1.diff freetype_2.3.5-1~bpo40+1.diff
If you see some source changes that you didn't do, then your backport is not clean (probably it's a leftover from an incomplete
make clean). Usually, just remove the current directory and extract a new clean one using
= Tracking security
When you backport a package, it is good to track security issues that affect it and update your package accordingly.
An easy way is subscribing to the debian-security-announce mailing list, which sends a mail each time a security fix is published for Debian.
Understanding security is difficult though. For example, in the case of Freetype for Etch,
changelog.Debian mentions a fix in July 2007:
freetype (2.2.1-5+etch2) stable-security; urgency=high * debian/patches-freetype/CVE-2007-1351_pdf-overflow: address CVE-2007-1351, an integer overflow bug in the handling of BDF fonts. Closes: #426771. -- Steve Langasek <email@example.com> Mon, 09 Jul 2007 17:21:11 -0700
while the security was actually published nearly 6 months later: