Re: Fwd: jessie backport for Wordpress
On Mon, 27 Jul 2015, Rodrigo Campos wrote:
> On Mon, Jul 27, 2015 at 11:12:46AM +0200, Alexander Wirt wrote:
> > On Sun, 26 Jul 2015, Rodrigo Campos wrote:
> > > On Sun, Jul 26, 2015 at 02:35:19PM +0100, Adam D. Barratt wrote:
> > > > On Sun, 2015-07-26 at 16:53 +1000, Craig Small wrote:
> > > > > On Fri, Jul 24, 2015 at 06:59:09PM +0100, Rodrigo Campos wrote:
> > > > > > > Craig, would you like to sponsor it? It's in mentors.
> > > > > > Ping Craig? :)
> > > > > I'm here, I uploaded it yesterday but I have not heard anything back
> > > > > from dinstall for either it or the wordpress update. It's all very
> > > > > mysterious.
> > > >
> > > > The queued log on ftp-master says:
> > > >
> > > > Jul 24 11:41:19 processing /wordpress_4.2.3+dfsg-1_amd64.changes
> > > > Jul 24 11:41:19 GnuPG signature check failed on wordpress_4.2.3+dfsg-1_amd64.changes
> > > > Jul 24 11:41:19 /wordpress_4.2.3+dfsg-1_amd64.changes has bad PGP/GnuPG signature!
> > > > [...]
> > > > Jul 24 22:50:11 processing /wordpress_4.2.2+dfsg-1~bpo8+1_amd64.changes
> > > > Jul 24 22:50:11 GnuPG signature check failed on wordpress_4.2.2+dfsg-1~bpo8+1_amd64.changes
> > > > Jul 24 22:50:11 /wordpress_4.2.2+dfsg-1~bpo8+1_amd64.changes has bad PGP/GnuPG signature!
> > > >
> > > > If the gpg check fails then you won't get a notification, as the archive
> > > > can't be sue who actually performed the upload.
> > >
> > > Oh, great. And who should sign, then? Me or Craig that is the sponsor?
> > >
> > > That one is signed by me, but I haven't upload my key to any place except
> > > mentors. If it's me, is it uploading to some place enough? Or should I also get
> > > some other people to verify me for it to be usable in this?
> > JFTR, I expect CVE-2015-5623 and CVE-2015-5622  fixed before you upload the
> > package to bpo. Please don't upload packages with known security problems.
> I was waiting for the package to be on unstable for that.
> How this should be done? First upload a fixed package to unstable and then the
> fixed package to bpo?
Upload to unstable, wait for testing migration, pray for no new CVEs and then
upload to bpo.