On Mon, Dec 30, 2024 at 12:05:41PM -0800, Otto Kekäläinen wrote: > The CVE is two months old, it alone isn't a reason to rush an upload within > hours specifically today. My goal was just to get it fixed before the package was marked for removal towards the end of January. This CVE is not something I would have classified as a zero-day. I wanted to take this as an opportunity to get some review and feedback on my workflow for contributing with the Go Team. As this package doesn't really follow the dh-make-golang workflow, I did not have as much documentation to go with (no pun intended). Does uploading a package to mentors help here or is just making a fork on Salsa the best way to go here? Is there a BKM I should be following here? > > I am just trying to highlight here that while it is good that we have > heroes who do a bunch of solo work for Debian, doing things a bit slower > and inclusively will help build teams and grow collaborators who will > actually maintain and improve the packages in the long-term. Thanks, Loren -- Loren M. Lang lorenl@north-winds.org http://www.north-winds.org/ Public Key: http://www.north-winds.org/lorenl_pubkey.asc Fingerprint: 7896 E099 9FC7 9F6C E0ED E103 222D F356 A57A 98FA
Attachment:
signature.asc
Description: PGP signature