[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 590-1] python-django security update

Hi Brian,

(replying to your two mails in one.)

On Tue, Aug 09, 2016 at 08:18:53PM +1000, Brian May wrote:
> No, the upload did not include any new vulnerabilites that I know
> of. Otherwise I would have listed them.
> See https://lists.debian.org/debian-lts/2016/07/msg00069.html for the
> reason why I uploaded.
ah, CVE-2016-6186! :-) That "magic string" should have been part of your
announcement and of course thats very easy to say now.

> Also see https://lists.debian.org/debian-lts/2016/08/msg00088.html.
> I asked for help here on the wording of the DLA, but got none. So I had
> to make do with the best I could come up with. I felt I had listed the
> reasons for the upload.

/me nods. It's hard(er) to review / improve something which "aint there"
(yet) or is only posted as a link. I guess I would have probably said
something if you had posted the full text of this DLA to this list, so
that one can easily read it in the mail client…

When sending my initial reply to this very DLA I also hadn't realize that
this was your first DLA ever, which I failed to consider. Apologies for

> > (And, unrelated, the stable update had a +deb8u5 version, I think a
> > +deb7uX version would been appropriate here as well.)
> There didn't appear to be any need. There is never going to be any
> conflict with any other distribution, which is the usual reason for
> these prefixes.

the advantage of using +deb7uX always is that it's easy to see that
"this package" had X security uploads in the lifetime of wheezy.

(I wondered the same when updating debian-edu-doc from
1.6~20150704~8+edu0 to 1.6~20160528+deb8u1 in stable…)

> (besides, wouldn't a good time to mention this have been before I
> uploaded, when I was asking for people to test it?)

yes, surely. just my time is limited, so sometimes/often I skip review
requests, while I usually do take time to read DSAs+DLAs.


Attachment: signature.asc
Description: Digital signature

Reply to: