On Wed, 8 Aug 2007, Lionel Elie Mamane wrote: > Yes, but we should still fix that in stable, not only unstable.
Yes I wasn't suggesting that we don't fix it in stable, but rather that a fix was available and had been uploaded to Debian (unstable). The BTS supports version tracking and even though the bug maybe closed, these security issues are still listed as open for asterisk in etch. Of course if we have a way of testing the fix in unstable is is valid that's even better. Of course fixing the plethora of security fixes against asterisk 1.2 is an issue and a fair amount of work. Whilst digium continues to provide supported releases of 1.2.x with bug fixes, by rights we should be only taking the diff's and applying them to debian stable via the debian security team, which is a job in itself. We are maintaining uptodate asterisk 1.2 packages built against stable (etch) via http://buildserver.net, but that is using the latest asterisk 1.2 upstream release and isn't a suitable security fix for upload to stable. (but would be a lot less work and would get the fixes into stable v.quickly) security team. This is an issue, we (pkg-voip) are aware we are well behind the curve on this, but were wondering if you have any ideas on a way to better manage? Mark
signature.asc
Description: This is a digitally signed message part.
