[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#827397: RFS: vlc/2.0.3-5+deb7u3

Dear LTS team, Mateusz:

On Thu, Jun 16, 2016 at 09:12:47AM +0200, Adam Borowski wrote:
> On Thu, Jun 16, 2016 at 06:53:49AM +0000, Gianfranco Costamagna wrote:
> > Hi Adam,
> > (answering in general, not in this particular situation)
> > 
> > 
> > >I've reviewed the upload, but I'm not sure if you coordinated it
> > >with the LTS team.  I find a contradition:
> > >  https://lists.debian.org/debian-lts/2016/06/msg00031.html
> > >says vlc is no longer supported in wheezy, yet in
> > >  https://lists.debian.org/debian-lts/2016/06/msg00035.html
> > >the quoted mail sounds as if the upload is expected.
> > >
> > >Should I proceed?
> > 
> > I guess not
> > 
> > In general, for security pocket, you need to do:
> > - check/test the patch
> > - wait for an ack from security team
> > - upload (binary-upload, not sure if source only is allowed, but I think not IIRC)  on security-master
> > e.g.
> The docs on the LTS wiki suggest it is, but I asked to confirm.

I think you also need to do the build with -sa, as you need to upload
the full sources to security-master.

> > BTW according to security tracker wheezy is EOL for that cve, no DSA is released, so I guess you won't
> > have the ack
> > https://security-tracker.debian.org/tracker/CVE-2016-5108
> The discussion continued after the EOL was mentioned, and Mateusz was
> obviously aware of it, thus I assume the RFS he filed was acked in parts of
> the discussion that are missing from list archives.
> In any case, the patch is simple and works for me.
> > (well, since there is a patch and an upload ready they might give an exception, but I think
> > asking before is the right way to deal with this bug)
> Right... which is exactly what I'm doing right now :)
> Wheezy has been handed off from security to the LTS team.

We haven't heard anything on this RFS for nearly 3 months.
Can you see if there is anythin that you'd like.  For example, I don't
see a DLA enrty in dla-needed for VLC (nor I'd expect one considering
VLC is not declared as support iirc).
Anyway I suppose that a one-shot update can't really harm anybody.

                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

Attachment: signature.asc
Description: PGP signature

Reply to: