[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libseccomp2 CVE fixed only for buster-backports?

On 15 Jul 2020, at 10:43, formorer@formorer.de wrote:
> On Wed, Jul 15, 2020 at 10:15:40AM +0200, Harald Dunkel wrote:
>> On 2020-07-15 08:44, formorer@formorer.de wrote:
>>> someone told you nonsense.
>>> 
>>> https://backports.debian.org/FAQ/
>>> 
>>> "When security related bugs are fixed in Debian unstable the backporter
>>> is permitted to upload the package from directly there instead of
>>> having to wait until the fix hits testing."
>>> 
>> 
>> This means, that the backporter does not have to wait for Testing to update
>> his backport.
>> 
>> Question is, is it common to fix security-related problems in backports only,
>> instead of stable?
> 
> No, that should not happen. We expect that security fixes land in
> stable too.

In this case though it's a backport that happens to have a security fix in one
of the previous versions (earlier than the version uploaded). You could also
imagine a case where a backport already exists, the security fix goes to
unstable, migrates to testing, and so the maintainer uploads it to update the
backport. That's just following process as if the security fix were any other
patch. I think your point is that the _exemptions_ for security fixes should
only apply when the package is also being fixed in stable (if the bug exists
there)?

Jess
Reply to: