On Sun, Jan 21, 2024 at 06:30:11PM +0530, Nilesh Patra wrote:
On 21 January 2024 6:08:42 pm IST, Alberto Bertogli <albertito@blitiri.com.ar> wrote:I gave this a try. This is my first time doing a stable backport (or any non-unstable change) so please let me know if I did something wrong, which is very likely. I did the following: - Created a new `debian/bookworm-backports` branch. - Merged upstream's v1.11.1 into it, which incorporates the security fixes. ... I don't know if this is okay, and if so, what comes next; so please let me know how to proceed from here!Whilst all that is fine for backports, if the version of chasquid in stable is vulnerable then it needs to go via stable updates, and only *minimal* changes need to be done on top of the version in stable. In this case it means backporting just the *patch* on top of the version in stable. Would this be possible to get done?
There are 3 patches in this release: patches 1 and 2 are minor (but important) adjustments to tests, so that patch 3 that contains the fix can be tested at all.
Applying just patch 3 would be nominally "minimal", but also fail tests.I would argue this is the minimal set of patches to fix the security release.
That said, of course that is subjective, other alternative patches could be done instead; and I'm sure there's a lot of Debian-specific criteria, history, and processes that can be applied to make these decisions, which I lack.
So I think at this point I rather leave this stable update to the Debian experts (which I am definitely not :).
The patches are there, and please if you have any questions I can help with as upstream capacity, just let me know!
Thanks! Alberto