Hi Simon, Thank you for adding looping in.
On Thu, Jan 12, 2023 at 10:10:35AM +0000, Simon McVittie wrote: > Control: tags -1 + security > > On Wed, 11 Jan 2023 at 16:37:01 +0000, Philip Withnall wrote: > > Are there plans to backport the recent GVariant security fixes to > > Debian Stable? > > > > These are: > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2782 > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2121 > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2540 > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2794 > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2797 > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2840 > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2841 > > > > In addition, these two issues have highly related fixes (which it’s > > probably easiest to backport in the same tranche), but they are not > > security issues: > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2612 > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2839 > > > > Apologies if a decision has been deliberately taken to not backport > > them, I don’t fully understand the criteria for what gets backported. > > There are actually two sets of criteria for what gets backported to > stable. If the Debian security team (Cc'd) thinks an issue is sufficiently > serious to need a security advisory and an immediate release, then they > prepare a security update, either doing the work themselves or coordinating > with the package's maintainer for the actual code changes. > > If the security team are not interested in an issue, but the package's > maintainer thinks the issue needs a stable update, then the package's > maintainer coordinates with the release team to get the change into the > next stable point release, which happens once per 1-2 months. > > I think these issues are all denial-of-service, which the security team > usually treats as not sufficiently important for an advisory and an > off-schedule fix. Security team: do you agree, based on the information > quoted below? If yes, we can treat this as a low-priority security fix > (I would personally rate its severity at somewhere between important > and minor) and fix it in a point release later. I do agree, a point release update seems enough (if feasible, in backport size and confidence). Regards, Salvatore
