Re: Debian LTS Security update of ruby-rest-client (advice needed)

To: Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>, Lucas Nussbaum <lucas@debian.org>
Subject: Re: Debian LTS Security update of ruby-rest-client (advice needed)
From: Raphael Hertzog <hertzog@debian.org>
Date: Fri, 20 May 2016 14:16:14 +0200
Message-id: <[🔎] 20160520121614.GB28930@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>, Lucas Nussbaum <lucas@debian.org>
In-reply-to: <[🔎] 20160520115116.GD21303@debian.org>
References: <[🔎] CABY6=0krbhMfdhShMHuyyrT1jOZyOjoD+h-R5EuU=C7sALpUaA@mail.gmail.com> <[🔎] 20160520115116.GD21303@debian.org>

On Fri, 20 May 2016, Antonio Terceiro wrote:
> > I see two options:
> > 1) I upload this fix above and we introduce the ruby-http-cookie (its
> > dependencies are already there, I have tested with the jessie version of
> > ruby-http-cookie on wheezy, so it is just to add this package too)
> > 2) We tell that the fix is not important enough.
> > I do not see the point in trying to change the correction in some other way
> > for wheezy.
> 
> Can you introduce new packages in LTS? If you can, then just doing that
> and using the patch that was applied in jessie is probably good enough.

Technically we can but we need a ftpmaster to process NEW on
security.debian.org I guess.

>From a policy point of view, I have mixed feelings. It means the security
upgrade might not be picked by "apt-get upgrade" due to the new
dependency.

Is the CVE severe enough to justify that extra work?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to:

Follow-Ups:
- Re: Debian LTS Security update of ruby-rest-client (advice needed)
  - From: Ola Lundqvist <ola@inguza.com>

References:
- Debian LTS Security update of ruby-mail (advice needed)
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Debian LTS Security update of ruby-rest-client (advice needed)
  - From: Antonio Terceiro <terceiro@debian.org>

Prev by Date: Re: Debian LTS Security update of ruby-rest-client (advice needed)
Next by Date: Re: mediawiki support in wheezy-LTS
Previous by thread: Re: Debian LTS Security update of ruby-rest-client (advice needed)
Next by thread: Re: Debian LTS Security update of ruby-rest-client (advice needed)
Index(es):
- Date
- Thread