On 2018-12-03 14:23, Antoine Beaupré wrote:
On 2018-12-03 08:16:47, Julien Cristau wrote:
Control: tag -1 confirmed
On Mon, Jun 18, 2018 at 01:56:11PM -0400, Antoine Beaupre wrote:
diff -Nru monkeysign-2.2.3/debian/changelog
monkeysign-2.2.4/debian/changelog
--- monkeysign-2.2.3/debian/changelog 2017-01-24 15:40:35.000000000
-0500
+++ monkeysign-2.2.4/debian/changelog 2018-06-18 12:18:46.000000000
-0400
@@ -1,3 +1,14 @@
+monkeysign (2.2.4) unstable; urgency=medium
+
+ [ Tobias Rueetschi ]
+ * false isn't defined, that must be False
+
+ [ Antoine Beaupré ]
+ * actually send multiple emails instead of a single one
+ * CVE-2018-12020: add no verbose to avoid fake signatures
+
+ -- Antoine Beaupré <anar...@debian.org> Mon, 18 Jun 2018 12:18:46
-0400
+
monkeysign (2.2.3) unstable; urgency=medium
[ Simon Fondrie-Teitler ]
This would need to be versioned as 2.2.3+deb9u1.
But it's exactly the 2.2.4 release published to unstable - why the
different version number?
Because, as you say, a package with the version "2.2.4" has already been
uploaded to Debian. One can't have a different package in stable and
unstable with the same version number.
(It's not "exactly the same" - the stretch upload will be built in a
stretch chroot, so may well end up with different dependencies. At the
very least, it needs a d/changelog entry detailing that it was uploaded
to stable, which makes it different from the unstable upload.)
Regards,
Adam
