On Sat, 2023-01-14 at 21:15 +0100, Salvatore Bonaccorso wrote: > Hi Simon, > > Thank you for adding looping in. > > On Thu, Jan 12, 2023 at 10:10:35AM +0000, Simon McVittie wrote: > > Control: tags -1 + security > > > > On Wed, 11 Jan 2023 at 16:37:01 +0000, Philip Withnall wrote: > > > Are there plans to backport the recent GVariant security fixes to > > > Debian Stable? > > > > > > These are: > > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2782 > > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2121 > > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2540 > > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2794 > > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2797 > > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2840 > > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2841 > > > > > > In addition, these two issues have highly related fixes (which > > > it’s > > > probably easiest to backport in the same tranche), but they are > > > not > > > security issues: > > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2612 > > > - https://gitlab.gnome.org/GNOME/glib/-/issues/2839 > > > > > > Apologies if a decision has been deliberately taken to not > > > backport > > > them, I don’t fully understand the criteria for what gets > > > backported. > > > > There are actually two sets of criteria for what gets backported to > > stable. If the Debian security team (Cc'd) thinks an issue is > > sufficiently > > serious to need a security advisory and an immediate release, then > > they > > prepare a security update, either doing the work themselves or > > coordinating > > with the package's maintainer for the actual code changes. > > > > If the security team are not interested in an issue, but the > > package's > > maintainer thinks the issue needs a stable update, then the > > package's > > maintainer coordinates with the release team to get the change into > > the > > next stable point release, which happens once per 1-2 months. > > > > I think these issues are all denial-of-service, which the security > > team > > usually treats as not sufficiently important for an advisory and an > > off-schedule fix. Security team: do you agree, based on the > > information > > quoted below? If yes, we can treat this as a low-priority security > > fix > > (I would personally rate its severity at somewhere between > > important > > and minor) and fix it in a point release later. > > I do agree, a point release update seems enough (if feasible, in > backport size and confidence).
Makes sense to me. Thanks both for considering this. Philip
