%changelog * Wed May 06 2020 OndÅej LysonÄk <olysonek> - 1.0.49-5 - Fix CVE-2020-9365 and CVE-2020-9274 - Resolves: rhbz#1828688 - Resolves: rhbz#1831059 it resolves nothing because they are never applied [harry@srv-rhsoft:/downloads]$ cat pure-ftpd.spec | grep -i patch Patch0: 0001-modify-pam.patch Patch1: 0002-fedora-specific-config-file.patch # Upstream patch: Patch2: 0001-listdir-reuse-a-single-buffer-to-store-every-file-na.patch # Upstream patch: Patch3: 0001-diraliases-always-set-the-tail-of-the-list-to-NULL.patch # Upstream patch: Patch4: 0001-pure_strcmp-len-s2-can-be-len-s1.patch - Apply upstream patch to increase the size limit of the process's data segment - Dropped patch 0003-Allow-having-both-options-and-config-file-on-command.patch - add patch for x86_64 support - rediff config patch
in other words without something like this yiu are don't fix anything by just add patches to the spec file and src.rpm %prep %setup -q %patch1 -p1 %patch2 -p1 %patch3 -p1
I appreciate you reviewing other people's work, but have you actually checked that the patches are not applied? We're using '%autosetup -S git', which means that the patches get applied automatically using git.
well, i maintain pure-ftpd at my own for years, noticed some patches while upstream is still at "pure-ftpd-1.0.49.tar.gz 03-Apr-2019 11:03" and "borrowed" them, typically i look at %prep which are really used given that not everything bundeled with the src.rpm is applied or sometimes patches are applied conditional not a friend of too much magic bot, wel, ok