On Thu, Mar 16, 2017 at 07:33:37AM +0900, Charles Plessy wrote: > Hi Dirk and Salvatore, > > > From: Dirk Eddelbuettel <e...@debian.org> > > On 11 March 2017 at 17:56, Salvatore Bonaccorso wrote: > > | > > | The relevant changes seem to be the following, but I might be mistaken. > > (btw, > > | is there a VCS repository for r-base or does upstream not share > > development > > | VCS?) > > > > They do at svn.r-project.org -- but that isn't browsable -- and the > > community has a mirror here https://github.com/wch/r-source > > Actually there is anonymous access: > > $ svn log https://svn.r-project.org/R/trunk/ | head > ------------------------------------------------------------------------ > r72357 | luke | 2017-03-16 04:32:54 +0900 (jeu. 16 mars 2017) | 4 lignes > > Use two uniforms in sample() for higher precision when the uniform > generator is one of the Knuth generators or a user-defined generator > and the population size is at least 2^25. > > ------------------------------------------------------------------------ > r72356 | luke | 2017-03-16 03:58:45 +0900 (jeu. 16 mars 2017) | 2 lignes > > But the GitHub mirror is likely to be more convenient
Thanks a lot to both for the information about that! I did not found initially when trying to deduce what changes were done for the CVE. Thanks, really appreciated. > > > | Can you as well please make sure with the release team that the fix might > > enter > > | for stretch? > > > > How would I do that? Suggest current upstream 3.3.3 to be passed down, or > > prepare a 'testing-security' upload? > > Actually, I see 3.3.3 in testing already. Yep, apparently in this case was hint'ed without a explicit unblock request. For reference: https://release.debian.org/stretch/freeze_policy.html Does this help? Regards, Salvatore
