Re: Roundcube Webmail 1.4.5

[David Pottage <david@chrestomanci.org>]

On 2020-06-03 13:00, Guilhem Moulin wrote:
> Wow.  That conclusion seems premature, 1.4.5 was released last night
> (and not announced to <announce@lists.roundcube.net> for some reason)
> and not even uploaded to sid yet.  The vulnerabilities aren't serious
> enough not to wait for the package to transition to testing (with
> priority=high).  Like for 1.4.4.

To illuminate the timeline a little:

I am subscribed to the project in Github, so I got a mail about bug 7406 
[1]
which had no details at the time other than it was security
(It looks like the bug description has been edited after the 1.4.5 
release).

The github project owner replied quite promptly to say that the bugs 
where fixed
and a new release would be out "in a few days", so I expected this 1.4.5 
release

I would have expected the Debian package maintainer to also be 
subscribed to the
project upstream on github, and to have been anticipating this release.

In addition, When the latest release was made it was accidentally tagged 
as 1.4.4
on github which did confuse things for a day or so until the issue was 
corrected.


[1] https://github.com/roundcube/roundcubemail/issues/7406

--
David Pottage