Hi Brian, (replying to your two mails in one.) On Tue, Aug 09, 2016 at 08:18:53PM +1000, Brian May wrote: > No, the upload did not include any new vulnerabilites that I know > of. Otherwise I would have listed them. > > See https://lists.debian.org/debian-lts/2016/07/msg00069.html for the > reason why I uploaded. ah, CVE-2016-6186! :-) That "magic string" should have been part of your announcement and of course thats very easy to say now. > Also see https://lists.debian.org/debian-lts/2016/08/msg00088.html. > I asked for help here on the wording of the DLA, but got none. So I had > to make do with the best I could come up with. I felt I had listed the > reasons for the upload. /me nods. It's hard(er) to review / improve something which "aint there" (yet) or is only posted as a link. I guess I would have probably said something if you had posted the full text of this DLA to this list, so that one can easily read it in the mail client… When sending my initial reply to this very DLA I also hadn't realize that this was your first DLA ever, which I failed to consider. Apologies for that. > > (And, unrelated, the stable update had a +deb8u5 version, I think a > > +deb7uX version would been appropriate here as well.) > There didn't appear to be any need. There is never going to be any > conflict with any other distribution, which is the usual reason for > these prefixes. the advantage of using +deb7uX always is that it's easy to see that "this package" had X security uploads in the lifetime of wheezy. (I wondered the same when updating debian-edu-doc from 1.6~20150704~8+edu0 to 1.6~20160528+deb8u1 in stable…) > (besides, wouldn't a good time to mention this have been before I > uploaded, when I was asking for people to test it?) yes, surely. just my time is limited, so sometimes/often I skip review requests, while I usually do take time to read DSAs+DLAs. -- cheers, Holger
Attachment:
signature.asc
Description: Digital signature