[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: jessie backport for Wordpress

On Mon, Jul 27, 2015 at 04:12:15PM +0200, Alexander Wirt wrote:
> On Mon, 27 Jul 2015, Rodrigo Campos wrote:
> 
> > On Mon, Jul 27, 2015 at 03:35:06PM +0200, Alexander Wirt wrote:
> > > On Mon, 27 Jul 2015, Rodrigo Campos wrote:
> > > 
> > > > On Mon, Jul 27, 2015 at 11:12:46AM +0200, Alexander Wirt wrote:
> > > > > On Sun, 26 Jul 2015, Rodrigo Campos wrote:
> > > > > 
> > > > > > On Sun, Jul 26, 2015 at 02:35:19PM +0100, Adam D. Barratt wrote:
> > > > > > > On Sun, 2015-07-26 at 16:53 +1000, Craig Small wrote:
> > > > > > > > On Fri, Jul 24, 2015 at 06:59:09PM +0100, Rodrigo Campos wrote:
> > > > > > > > > > Craig, would you like to sponsor it? It's in mentors.
> > > > > > > > > Ping Craig? :)
> > > > > > > > I'm here, I uploaded it yesterday but I have not heard anything back
> > > > > > > > from dinstall for either it or the wordpress update. It's all very
> > > > > > > > mysterious.
> > > > > > > 
> > > > > > > The queued log on ftp-master says:
> > > > > > > 
> > > > > > > Jul 24 11:41:19 processing /wordpress_4.2.3+dfsg-1_amd64.changes
> > > > > > > Jul 24 11:41:19 GnuPG signature check failed on wordpress_4.2.3+dfsg-1_amd64.changes
> > > > > > > Jul 24 11:41:19 /wordpress_4.2.3+dfsg-1_amd64.changes has bad PGP/GnuPG signature!
> > > > > > > [...]
> > > > > > > Jul 24 22:50:11 processing /wordpress_4.2.2+dfsg-1~bpo8+1_amd64.changes
> > > > > > > Jul 24 22:50:11 GnuPG signature check failed on wordpress_4.2.2+dfsg-1~bpo8+1_amd64.changes
> > > > > > > Jul 24 22:50:11 /wordpress_4.2.2+dfsg-1~bpo8+1_amd64.changes has bad PGP/GnuPG signature!
> > > > > > > 
> > > > > > > If the gpg check fails then you won't get a notification, as the archive
> > > > > > > can't be sue who actually performed the upload.
> > > > > > 
> > > > > > Oh, great. And who should sign, then? Me or Craig that is the sponsor?
> > > > > > 
> > > > > > That one is signed by me, but I haven't upload my key to any place except
> > > > > > mentors. If it's me, is it uploading to some place enough? Or should I also get
> > > > > > some other people to verify me for it to be usable in this?
> > > > > JFTR, I expect CVE-2015-5623 and CVE-2015-5622 [1] fixed before you upload the
> > > > > package to bpo. Please don't upload packages with known security problems.
> > > > 
> > > > I was waiting for the package to be on unstable for that.
> > > > 
> > > > How this should be done? First upload a fixed package to unstable and then the
> > > > fixed package to bpo?
> > > Upload to unstable, wait for testing migration, pray for no new CVEs and then
> > > upload to bpo.
> > 
> > Is this because it's the first upload of the package? Because if there are
> > security issues it says you don't have to wait the for the testing migration.
> Yes, if the package already is in bpo, its better to fix bugs than to wait.
> But there is no reason to upload from unstable if the package is not already
> in testing.

Great, good to know. Will wait for the fixed package to be in testing then.




Thanks!
Rodrigo
Reply to: