Am 03.05.2016 um 17:49 schrieb Guilhem Moulin: > On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote: >> I agree, however I suspect most people using roundcube in production are >> probably using the backport... There's even a dangling backport in >> wheezy right now (0.9)... a little messy. > > Sorry, I meant oldstable-backports not oldstable. Packaging 1.0.x for > wheezy-backports sounds much easier than backporting security patches to > wheezy's 0.7.x. Hi, the backports team regularly rejects packages that try to fix bugs or even security vulnerabilities by providing the fixes with {wheezy|jessie}-backports instead of fixing them via stable or security updates directly. I'm not sure yet how difficult it would be to backport the fixes to the 0.7.x branch and if all CVEs apply to Wheezy but that would be the preferred solution which might also be less disruptive. The second best solution would be to backport either the 1.0.x branch or your jessie-backport packages to Wheezy. Since you actively maintain them, what do you think, how complex is the task to backport the packages from jessie-backports to Wheezy? >> I filed a bug about the dangling backport in wheezy: >> >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813843 >> >> I wonder how best to deal with this: should the backport just be removed >> or what? > > Agreed, I think 0.9 should be either removed from the archive or > superseeded by 1.0.x. +1 I'm all for removing it as soon as possible from backports. We don't need to wait for updated packages. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature