[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: jessie backport for Wordpress

On Mon, 27 Jul 2015, Rodrigo Campos wrote:

> On Mon, Jul 27, 2015 at 03:35:06PM +0200, Alexander Wirt wrote:
> > On Mon, 27 Jul 2015, Rodrigo Campos wrote:
> > 
> > > On Mon, Jul 27, 2015 at 11:12:46AM +0200, Alexander Wirt wrote:
> > > > On Sun, 26 Jul 2015, Rodrigo Campos wrote:
> > > > 
> > > > > On Sun, Jul 26, 2015 at 02:35:19PM +0100, Adam D. Barratt wrote:
> > > > > > On Sun, 2015-07-26 at 16:53 +1000, Craig Small wrote:
> > > > > > > On Fri, Jul 24, 2015 at 06:59:09PM +0100, Rodrigo Campos wrote:
> > > > > > > > > Craig, would you like to sponsor it? It's in mentors.
> > > > > > > > Ping Craig? :)
> > > > > > > I'm here, I uploaded it yesterday but I have not heard anything back
> > > > > > > from dinstall for either it or the wordpress update. It's all very
> > > > > > > mysterious.
> > > > > > 
> > > > > > The queued log on ftp-master says:
> > > > > > 
> > > > > > Jul 24 11:41:19 processing /wordpress_4.2.3+dfsg-1_amd64.changes
> > > > > > Jul 24 11:41:19 GnuPG signature check failed on wordpress_4.2.3+dfsg-1_amd64.changes
> > > > > > Jul 24 11:41:19 /wordpress_4.2.3+dfsg-1_amd64.changes has bad PGP/GnuPG signature!
> > > > > > [...]
> > > > > > Jul 24 22:50:11 processing /wordpress_4.2.2+dfsg-1~bpo8+1_amd64.changes
> > > > > > Jul 24 22:50:11 GnuPG signature check failed on wordpress_4.2.2+dfsg-1~bpo8+1_amd64.changes
> > > > > > Jul 24 22:50:11 /wordpress_4.2.2+dfsg-1~bpo8+1_amd64.changes has bad PGP/GnuPG signature!
> > > > > > 
> > > > > > If the gpg check fails then you won't get a notification, as the archive
> > > > > > can't be sue who actually performed the upload.
> > > > > 
> > > > > Oh, great. And who should sign, then? Me or Craig that is the sponsor?
> > > > > 
> > > > > That one is signed by me, but I haven't upload my key to any place except
> > > > > mentors. If it's me, is it uploading to some place enough? Or should I also get
> > > > > some other people to verify me for it to be usable in this?
> > > > JFTR, I expect CVE-2015-5623 and CVE-2015-5622 [1] fixed before you upload the
> > > > package to bpo. Please don't upload packages with known security problems.
> > > 
> > > I was waiting for the package to be on unstable for that.
> > > 
> > > How this should be done? First upload a fixed package to unstable and then the
> > > fixed package to bpo?
> > Upload to unstable, wait for testing migration, pray for no new CVEs and then
> > upload to bpo.
> 
> Is this because it's the first upload of the package? Because if there are
> security issues it says you don't have to wait the for the testing migration.
Yes, if the package already is in bpo, its better to fix bugs than to wait.
But there is no reason to upload from unstable if the package is not already
in testing.

Alex
Reply to: