On Mon, Mar 26, 2018 at 10:55:04PM +0100, Simon McVittie wrote: > On Tue, 27 Mar 2018 at 07:45:27 +1030, Ron wrote: > > There's actually some more interesting fixes after the 1.3.3 tag, so I > > should probably nudge upstream toward a 1.3.4 tag sometime soon and pull > > in the corner case patch with those. > > Sure, I'm in no rush to see 1.3.3.
Cool, this is the reference implementation of a stable standard, so it is generally more surprising when there is some significant change to it than that it's been years since the last one. > Updating to a new upstream release would probably also be a good > opportunity to catch up on 3½ years of packaging best-practice ( Just on the specifics of this: > lose the -dbg package, This would mean people wanting a backport to oldstable would lose easy access to debug symbols, so right now I'd still consider that to be a regression. We're almost at the point where Wheezy is EOL for LTS support now, but Jessie still has more than 2 years to run, so we're still at least a whole cycle away from this being a Good Thing to do in the "next upload". > fix Lintian warnings, There are none which are flagging an actual problem in this package. I care about the ones which do, the rest it's much less interesting to play whack-a-mole with. > rebuilding with newer gcc defaults might well produce better-hardened > binaries. Do you have something specific in mind which might apply here beyond the current set of explicit hardening options this is built with? If there are I'm interested to know more about that - but if "rebuild with newer toolchain" uploads is going to be a thing, then waiting for gcc-8 to become the default in this cycle might be the right point for that to happen? Best, Ron
