Re: [SECURITY] [DLA 590-1] python-django security update

To: Holger Levsen <holger@layer-acht.org>
Cc: Brian May <bam@debian.org>, debian-lts@lists.debian.org
Subject: Re: [SECURITY] [DLA 590-1] python-django security update
From: Raphael Hertzog <hertzog@debian.org>
Date: Wed, 10 Aug 2016 22:29:00 +0200
Message-id: <[🔎] 20160810202900.GA15321@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Holger Levsen <holger@layer-acht.org>, Brian May <bam@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 20160809112307.GA13876@layer-acht.org>
References: <20160809083846.GA8602@prune.linuxpenguins.xyz> <[🔎] 20160809085102.GD18813@layer-acht.org> <[🔎] 87vaza8ctu.fsf@prune.linuxpenguins.xyz> <[🔎] 20160809104130.GA6452@layer-acht.org> <[🔎] 87popi8b1n.fsf@prune.linuxpenguins.xyz> <[🔎] 20160809112307.GA13876@layer-acht.org>

Hi,

On Tue, 09 Aug 2016, Holger Levsen wrote:
> so I need to read the upstream changelog between 1.4.5 and 1.4.22 to
> find out why?

This update does fix bugs but not security bugs that would have warranted
a DLA on their own... it's just easier for us to work on the latest 1.4.x
release and makes our patch more useful for other 1.4.x users.

> I guess what "annoys" me most about [DLA 590-1] is that the only
> reasoning given is the _resulting action_ of something else, quote: "release
> team recently approved rebasing jessie on latest python-django 1.7.x (see
> #807654)" and then #807654 is about the 1.7 branch only, without stating
> these bugs are (all or just some?) also affecting 1.4…

The reasons I gave to the release team to update jessie to latest 1.7.x
also apply to update wheezy to latest 1.4.x. They are not about specific
issues but they are about maintainability of Django during the lifetime
of our releases.

> I'm sorry I contributed to making your first DLA such an unpleasent
> activity. My only purpose here is to improve future DLAs.

It's not Brian's first DLA… he has been working in the LTS team for
multiple months already.

That said, if I had done this myself, I would have probably prepared
the update in git and would have waited the next security issue to release
the 1.4.22 update at the same time.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to:

References:
- Re: [SECURITY] [DLA 590-1] python-django security update
  - From: Holger Levsen <holger@layer-acht.org>
- Re: [SECURITY] [DLA 590-1] python-django security update
  - From: Brian May <bam@debian.org>
- Re: [SECURITY] [DLA 590-1] python-django security update
  - From: Holger Levsen <holger@layer-acht.org>
- Re: [SECURITY] [DLA 590-1] python-django security update
  - From: Brian May <bam@debian.org>
- Re: [SECURITY] [DLA 590-1] python-django security update
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Re: Wheezy update of postgresql-9.1?
Next by Date: Re: matrixssl
Previous by thread: Re: [SECURITY] [DLA 590-1] python-django security update
Next by thread: Re: [SECURITY] [DLA 590-1] python-django security update
Index(es):
- Date
- Thread