[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Not the only one. Was: Re: Bug#757555: pam: CVE-2014-2583 pam_timestamp directory traversal issues

Hi,

2014-08-10 14:25 Lisandro Damián Nicanor Pérez Meyer:

On Saturday 09 August 2014 18:46:09 Steve Langasek wrote:
[snip]

Which according to elsewhere in my mailbox, you've dealt with by uploading a
10-day delayed NMU.  This is unacceptable.  The NMU process always requires
that you send your NMU diff to the BTS for review by the maintainer
*first*. When doing a delayed NMU, it's reasonable to send this diff to the
BTS at the same time.  Here, you have failed to send this NMU diff at all,
and the only notification has been an easily-overlooked mail from the
ftp-master queue software.

Maintainers should not have to go grubbing around in the delayed queue to
find out what's been uploaded.  The NMUer is responsible for sending the NMU
diff to the maintainer.

I have removed pam_1.1.3-8.1_amd64.changes from the delayed queue.  If you
have changes that you would like to see included in this package, please
send them to the BTS where they belong.


Interesting, because yesterday I've got a patch [0] (cool, thanks a lot!) but
stating that the package has been NMUed and uploaded to delayed/5. So, even 5
less days than in your case.

Less than 5 minutes later, the package entered the archive [1].

So, what am I supposed to do here?

Doko: I *really* appreciate the fact that you sent a patch, but *please*
respect your fellow DDs.

[0] <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746907#12>
[1] <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746907#19>



I agree that in the case that Steve is complaining about, the NMUer
should have sent the diff.  It was probably an oversight, I probably
wouldn't be so concerned as Steve about it as to send an email to
debian-devel@, or maybe yes...

In this case of qtwebkit, I agree that it *could* have been sent to
delayed, especially since KDE team is generally active and so on (and
because it was mentioned in the e-mail).

But on the other hand, a FTBFS bug in an important package such as
qtwebkit, reported 3 months ago and set to priority serious more than
2 months ago, with no replies from the maintainers, and being a quite
trivial fix as it is (not a patch changing behaviour, just silencing
compiler warnings about unused functions), I think that there also
perfectly justificable to upload straight away instead of to DELAYED.

I for one agree with the guidelines as stated here, and Matthias
respected them:

http://www.debian.org/doc/manuals/developers-reference/pkgs.html#nmu

 "Upload fixing only release-critical bugs older than 7 days, with no
  maintainer activity on the bug for 7 days and no indication that a
  fix is in progress: 0 days"


I appreciate that the team is busy and all, but adding the changes
from a NMUdiff is not too much extra job in my experience (if that's
what you find annoying about it?).


Cheers.
--
Manuel A. Fernandez Montecelo <manuel.montezelo@gmail.com>
Reply to: