Hi, Yann Leboulanger wrote (27 Dec 2012 22:02:54 GMT) : > On 12/27/2012 10:48 PM, intrigeri wrote: >> I'm absolutely not sure what is the best thing to do now: >> >> 1. unblock the embedded python-gnupg copy to the "current copy of >> Wheezy's python-gnupg + small change that supposedly improves >> things": take the risk to see a regression in gajim due to changes >> brought by the library update;
> Have you seen the diff? I haven't: it's quite big, and most big changes have some potential for regression during freeze time. I'm not saying the probability is high, I'm just stating that a risk does exist, so that the release team can take it into account when they make a decision. > I don't see what security issue it could cause. I did not mention anything related to security in the #1 option. (And even if I had, guess what: people generally don't see what security issue they introduce, at the time they do. Sorry for the nitpicking ;) > But without it, Gajim can traceback, that is a fact. I'm sorry I missed this important piece of information. Where was I supposed to learn about it? (Not a rhetorical question, I've genuinely searched, and failed to find it in the unblock request -related set of messages. I guess it might be #670243 that is related to GnuPG support, but it's unclear to me if that one was fixed by the modifications made to the embedded pythong-gnupg copy, or by the upgrade thereof.) >> Note that, even if this unblock is granted, gajim remains RC-buggy in >> Wheezy and unstable due to the #693048 security issue. > [...] So do what you want, remove Gajim from Debian because of this > security issue if you want. I think the worst that can happen as a result from this security issue is certainly not removing Gajim from Debian altogether: it's not shipping Gajim in Wheezy, if no package deemed suitable for release is ready on time. I would find it pretty sad, but stable backports are here to fill the hole in such situations. > Just note that it's now 3 monthes that debian testing users cannot > use video in Gajim because 0.15.1 is still blocked. I'm sorry about that. Please note the fix to this specific bug was ACK'd by a Release Team member mid-October, so it could have been pretty smoothly fixed in Wheezy, had it not been bundled with a bunch of other changes that were less easy to decide upon, by requiring additional information or other changes from your side. I'm sorry the Release Team is overwhelmed with unblock requests, so their delays in replying to this bug report were quite long sometimes: every back'n'forth round-trip then takes time, so the best way to ensure such an unblock request is treated quickly is to only include changes that are evidently freeze-compliant, and document them very well at unblock request time, when this not done in debian/changelog yet. I hope it may help next time! :) Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
