[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#827397: RFS: vlc/2.0.3-5+deb7u3

On Thu, Jun 16, 2016 at 06:53:49AM +0000, Gianfranco Costamagna wrote:
> Hi Adam,
> (answering in general, not in this particular situation)
> >I've reviewed the upload, but I'm not sure if you coordinated it
> >with the LTS team.  I find a contradition:
> >  https://lists.debian.org/debian-lts/2016/06/msg00031.html
> >says vlc is no longer supported in wheezy, yet in
> >  https://lists.debian.org/debian-lts/2016/06/msg00035.html
> >the quoted mail sounds as if the upload is expected.
> >
> >Should I proceed?
> I guess not
> In general, for security pocket, you need to do:
> - check/test the patch
> - wait for an ack from security team
> - upload (binary-upload, not sure if source only is allowed, but I think not IIRC)  on security-master
> e.g.

The docs on the LTS wiki suggest it is, but I asked to confirm.

> you can see the accept email here
> https://packages.qa.debian.org/v/virtualbox/news/20160129T103406Z.html
> but I never and I think they really don't like it, pushed without having an explicit ack
> from security team (and it should even be mentioned in the security policy)

It is mentioned, in the Developer Reference.

I assume Mateusz discussed the upload -- it's only a copy of a patch already
applied to jessie, and what I see in debian-lts archives includes a part of
such a discussion.

> BTW according to security tracker wheezy is EOL for that cve, no DSA is released, so I guess you won't
> have the ack
> https://security-tracker.debian.org/tracker/CVE-2016-5108

The discussion continued after the EOL was mentioned, and Mateusz was
obviously aware of it, thus I assume the RFS he filed was acked in parts of
the discussion that are missing from list archives.

In any case, the patch is simple and works for me.

> (well, since there is a patch and an upload ready they might give an exception, but I think
> asking before is the right way to deal with this bug)

Right... which is exactly what I'm doing right now :)
Wheezy has been handed off from security to the LTS team.

An imaginary friend squared is a real enemy.

Reply to: