Re: Bug#827397: RFS: vlc/2.0.3-5+deb7u3

To: Mateusz Łukasik <mati75@linuxmint.pl>, debian-lts@lists.debian.org
Cc: 827397@bugs.debian.org
Subject: Re: Bug#827397: RFS: vlc/2.0.3-5+deb7u3
From: Mattia Rizzolo <mattia@debian.org>
Date: Sat, 10 Sep 2016 12:57:39 +0000
Message-id: <[🔎] 20160910125738.fslmvx6uu7lg7kxs@chase.mapreri.org>
In-reply-to: <20160616071247.GD6580@angband.pl>
References: <182c7489-c5cc-aba6-312d-0dc275ec09a0@linuxmint.pl> <20160616063900.GB6580@angband.pl> <633483763.6824712.1466060029956.JavaMail.yahoo@mail.yahoo.com> <20160616071247.GD6580@angband.pl>

Dear LTS team, Mateusz:

On Thu, Jun 16, 2016 at 09:12:47AM +0200, Adam Borowski wrote:
> On Thu, Jun 16, 2016 at 06:53:49AM +0000, Gianfranco Costamagna wrote:
> > Hi Adam,
> > (answering in general, not in this particular situation)
> > 
> > 
> > >I've reviewed the upload, but I'm not sure if you coordinated it
> > >with the LTS team.  I find a contradition:
> > >  https://lists.debian.org/debian-lts/2016/06/msg00031.html
> > >says vlc is no longer supported in wheezy, yet in
> > >  https://lists.debian.org/debian-lts/2016/06/msg00035.html
> > >the quoted mail sounds as if the upload is expected.
> > >
> > >Should I proceed?
> > 
> > I guess not
> > 
> > In general, for security pocket, you need to do:
> > - check/test the patch
> > - wait for an ack from security team
> > - upload (binary-upload, not sure if source only is allowed, but I think not IIRC)  on security-master
> > e.g.
> 
> The docs on the LTS wiki suggest it is, but I asked to confirm.

I think you also need to do the build with -sa, as you need to upload
the full sources to security-master.

> > BTW according to security tracker wheezy is EOL for that cve, no DSA is released, so I guess you won't
> > have the ack
> > https://security-tracker.debian.org/tracker/CVE-2016-5108
> 
> The discussion continued after the EOL was mentioned, and Mateusz was
> obviously aware of it, thus I assume the RFS he filed was acked in parts of
> the discussion that are missing from list archives.
> 
> In any case, the patch is simple and works for me.
> 
> > (well, since there is a patch and an upload ready they might give an exception, but I think
> > asking before is the right way to deal with this bug)
> 
> Right... which is exactly what I'm doing right now :)
> Wheezy has been handed off from security to the LTS team.

We haven't heard anything on this RFS for nearly 3 months.
Can you see if there is anythin that you'd like.  For example, I don't
see a DLA enrty in dla-needed for VLC (nor I'd expect one considering
VLC is not declared as support iirc).
Anyway I suppose that a one-shot update can't really harm anybody.

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Bug#827397: RFS: vlc/2.0.3-5+deb7u3
  - From: Mateusz Łukasik <mati75@linuxmint.pl>

Prev by Date: Re: Wheezy update of libphp-adodb?
Next by Date: Re: Wheezy update of icu?
Previous by thread: Re: PostgreSQL 9.1 EOL September 2016 vs. Wheezy EOL May 2018
Next by thread: Re: Bug#827397: RFS: vlc/2.0.3-5+deb7u3
Index(es):
- Date
- Thread