Hi Mathieu, On Wed, Apr 30, 2014 at 11:09:57AM +0200, Mathieu Malaterre wrote: > On Wed, Apr 30, 2014 at 10:44 AM, Salvatore Bonaccorso > <car...@debian.org> wrote: > > fixed 743960 2.0-2+deb7u1 > > fixed 743960 2.0-2.1 > > thanks > > Indeed, sorry for the mess. > > > On Wed, Apr 30, 2014 at 08:47:00AM +0200, Mathieu Malaterre wrote: > >> Control: reopen -1 > >> > >> carnil, 2.0-2+deb7u1 was prepared before CVEs were published (before > >> 2.1 was release). There is no sense to upload 2.0-2.1, it would have > >> been easier to upload 2.1 directly... > > > > Hmm, could you elaboreate what is wrong in your opionion what I did? > > > > The security team was aware of this issue before the the issue was > > made public. Moritz uploaded 2.0-2+deb7u1 to be relased as a DSA > > (https://www.debian.org/security/2014/dsa-2900). My upload was to have > > the same fix also for testing and unstable. So the bug is also fixed > > now in testing and unstable. > > > > I though agree that a new upstream version should also be uploaded. > > There is nothing /wrong/ per se. AFAIK there is no urgency to fix > CVE(s) in testing/sid. Packager will now need to integrate your upload > in its history, which may delay 2.1 release even further. And as a > result 2.1 will be identical to 2.0-2+deb7u1, except it would have > been 'cleaner' from my point of view.
Ah, now I uderstand better your reply :). This was the reason for me to upload the NMU: There was a DSA for it, and unstable version was still unfixed. As there was no reply from Michael regarding the 2.1 upload, to have the fix in jessie, also guarateeing that version(wheezy) <= version(jessie) I did a minimal diff update only applying the patch needed as NMU (not looking at new upstream version what else might have changed[*]). The package was then 'urgented' by the Release Team before the Wheezy 7.5 point release update so that we have above condition now. Mathieu, tanks for taking time and explaining your point of view! Regards, Salvatore [*] to give an example: I also did libyaml updates for security fixes to unstable recently, updating to new upstream version would have introduced also a new build-system. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
