root@focal:~# reverse-depends libjcat1 Reverse-Depends * fwupd * gir1.2-jcat-1.0 * jcat * libfwupd2 * libfwupdplugin1 * libjcat-dev * libjcat-tests
I don't have a strong opinion on whether backporting just the CVE fix or doing a wholesale backport of 0.1.3-2 is the better option - it depends on how likely the 0.1.3-2 backport is to cause some regression - the CVE fix itself looks pretty self-contained in https://github.com/hughsie/libjcat/commit/839b89f so I don't think that is likely to cause any issues itself, however there is potentially a regression risk with sticking with libjcat 0.1.0 combined with a newer fwupd too so either way this will need good testing to ensure the risk of regression is minimised. Given this, perhaps the better option is to just backport 0.1.3-2 as we have evidence that this works well with fwupd 1.5.11 in impish. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1920724 Title: Upgrade focal/libjcat to version 0.1.3-2 and MIR it To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1920724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
