X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:references:cc:to:reply-to:from
	:message-id:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=q4mhu9zsfYTN9MWx
	uEAe7q5lk1EAO4BsAF+joBV51kSqYMEmBMz94CQWfZnp9mib/Xq4VXKWHKubb4Oo
	wNtkm8Wrsz09ZnfGwgMRQJp3uopxyi5IVHe1Iwkv4GRn/NkA4iyKoIjz6Q2z1gwP
	+lI9uPbecMht7KGn8dcR2Pkj3pM=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:references:cc:to:reply-to:from
	:message-id:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=oZB+rTGxemyjn9sOSY0bRG
	SnG1U=; b=HE8zQKM876t/DfI78pbl6c0UN7OTv/co980PtmwmtRYyhTtAqdsd+A
	nQsWqq/Q8sDzFT9GPev2+nPHwDAm5C4lv292uKF/uHv6Iv+EGaQWI1jwTKHG4nVv
	KIFj1wNvK4xOqeaxXPGEbtyf4WoReSrP6ehGprgUKZ5Z6tvi7vYl8=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 spammy=upset, H*MI:sk:2016042, Hx-spam-relays-external:ESMTPA
X-HELO: out2-smtp.messagingengine.com
Subject: Re: Security update needed for mercurial (upload error: doesn't follow naming convention)
References: <86h9fjdhkf DOT fsf AT gmail DOT com> <vz137qhlfxy DOT fsf AT gmail DOT com> <20160420085938 DOT GA16548 AT calimero DOT vinschen DOT de> <20160420165640 DOT GB9640 AT piccolo>
Cc: Jari Aalto <jari DOT aalto AT cante DOT net>
To: cygwin AT cygwin DOT com
Reply-To: cygwin AT cygwin DOT com
From: Jon Turney <jon DOT turney AT dronecode DOT org DOT uk>
Message-ID: <5717B8E2.3010605@dronecode.org.uk>
Date: Wed, 20 Apr 2016 18:14:10 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <20160420165640.GB9640@piccolo>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

On 20/04/2016 17:56, Jari Aalto wrote:
>> 3.7.3 as a security release, with fixes for:
>>
>> CVE-2016-3630 Mercurial: remote code execution in binary delta decoding
>> CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos
>> CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos
>
> New release uploaded, but I got this message (x64)?

Thanks.

> ERROR: tar file 'mercurial-3.7.3.tar.gz' in package 'mercurial' doesn't follow naming convention
> ERROR: error while reading uploaded packages for Jari Aalto

Yes, you seem to have uploaded:

mercurial-3.7.3.tar.gz       - upstream tar file
mercurial-3.7.3-1.tar.xz     - cygwin binary package
mercurial-3.7.3-1-src.tar.xz - cygwin source package containing the 
upstream tar file and build script

The behaviour of upset was to accept mercurial-3.7.3.tar.gz as a binary 
package file, fortunately of a version preceding 3.7.3-1.

This was never correct, so it's now reported as an error.

I have removed the upstream tar files to allow the upload to proceed.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple