On 2019-06-08 10:22:54 [+0200], Paul Gevers wrote:
> Control: tags -1 moreinfo
>
> Hi Sebastian,
Hi Paul,
> Can you please elaborate why this version meets the freeze policy, or
> why it should get an exception? In the text above there is no mention at
> all of serious bugs that get fixed. openssl is a rather important
> package and we don't want to risk of regression this late in the release
> so we are *very* reluctant to have new upstream releases. Please help us
> make the right judgment call.
I don't want to put anything wrong so let me try to word this
conservatively:
The stable team never officially agreed to include new OpenSSL stable
releaes (which contain security related and important bug fixes) into
stable but they were not against it. I *think* the stable release team
did not have the time to evaluate the situtation completely, the Debian
security team liked the idea and so we had new OpenSSL uploads via the
security.d.o channel (the stable team was aware of it (I don't have the
bug regarding this discussion, this is from my memory)). I *think* the
first upload was
https://lists.debian.org/debian-security-announce/2018/msg00280.html
Once this is sorted out I would prepare them for stable, too.
If there is anything else, please let me know.
> Even if we were to unblock, can we get the m2crypto fix available, such
> that they can migrate together? I understood (last time I checked that
> bug) that this may just be a test fix?
I believe m2crypto's upstream made a new release which has all fixes and
the last time I looked, that offending test got disabled. I will check,
provide a backport, prepare a NMU for m2crypto and its unblock.
> Paul
Sebastian
