Ryuichi-san, You just uploaded version 6.0.7.1 of imagemagick to unstable with the justification: * New upstream release Upstream authors applied the patch, by Daniel Kobras, which fixes BMP vulnerabilities assigned CAN-2004-0827 (http://studio.imagemagick.org/pipermail/magick-developers/2004-August/002011.html). This is NOT the version of imagemagick which fixes this bug; the bug was already fixed in 6.0.6.2, which you uploaded to unstable over a week ago! This is made clear by the URL you linked to in the changelog, which points to ImageMagick 6.0.6. This is also made clear by bug 268357, which was opened by Daniel Kobras himself to track the status of this issue in testing. You uploaded a new version of imagemagick *less than 24 hours before this security fix was due to reach testing*. You have now reset the waiting period for this package, and forced rebuilds on all architectures before this security fix can reach testing. The *last* new upstream version you uploaded, 6.0.6.2, fixed a security hole -- but it also made the package unusable on ia64, requiring a lot of developer time to track down and making other packages fail to build. We have no idea what problems *this* new upstream version may cause; we may not even have a chance to find out before releasing whether this version introduces new arch-specific breakage. This is not appropriate handling of a package with 61 reverse-dependencies and countless indirect reverse-dependencies while we are trying to freeze for release! ImageMagick 6.0 was accepted into unstable on 15 Apr 2004, and there have been almost weekly uploads since then -- including uploads of 20 new upstream releases -- with no breaks long enough to let this package and the packages depending on it into testing. Even once the libtiff transition was announced, you made *two more uploads of new upstream releases* while we were trying to get all of the packages into a state where they could be moved into testing. This is not appropriate handling of a package with 61 reverse-dependencies at *any* time during a release cycle! The goal of package maintenance is not to get the latest upstream version into Debian; the goal of package maintenance is to contribute to a quality operating system. It is very difficult to assure the quality of a component that changes every week, as ImageMagick has done since at least April. Library maintainers: please remember that you are not working in isolation. You have an obligation to pay attention to the needs of maintainers of packages that depend on yours, who are *users* of your package! -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature