Re: Bug#827397: RFS: vlc/2.0.3-5+deb7u3

To: Mattia Rizzolo <mattia@debian.org>, debian-lts@lists.debian.org
Cc: 827397@bugs.debian.org
Subject: Re: Bug#827397: RFS: vlc/2.0.3-5+deb7u3
From: Mateusz Łukasik <mati75@linuxmint.pl>
Date: Sun, 11 Sep 2016 20:27:11 +0200
Message-id: <[🔎] 7ee160f2-9f40-7558-84b0-94334853a970@linuxmint.pl>
In-reply-to: <[🔎] 20160910125738.fslmvx6uu7lg7kxs@chase.mapreri.org>
References: <182c7489-c5cc-aba6-312d-0dc275ec09a0@linuxmint.pl> <20160616063900.GB6580@angband.pl> <633483763.6824712.1466060029956.JavaMail.yahoo@mail.yahoo.com> <20160616071247.GD6580@angband.pl> <[🔎] 20160910125738.fslmvx6uu7lg7kxs@chase.mapreri.org>

On 10.09.2016 14:57 +0200, Mattia Rizzolo wrote:

Dear LTS team, Mateusz:


Hi Mattia!

On Thu, Jun 16, 2016 at 09:12:47AM +0200, Adam Borowski wrote:

On Thu, Jun 16, 2016 at 06:53:49AM +0000, Gianfranco Costamagna wrote:

Hi Adam,
(answering in general, not in this particular situation)

I've reviewed the upload, but I'm not sure if you coordinated it
with the LTS team.  I find a contradition:
 https://lists.debian.org/debian-lts/2016/06/msg00031.html
says vlc is no longer supported in wheezy, yet in
 https://lists.debian.org/debian-lts/2016/06/msg00035.html
the quoted mail sounds as if the upload is expected.

Should I proceed?


I guess not

In general, for security pocket, you need to do:
- check/test the patch
- wait for an ack from security team
- upload (binary-upload, not sure if source only is allowed, but I think not IIRC)  on security-master
e.g.


The docs on the LTS wiki suggest it is, but I asked to confirm.


I think you also need to do the build with -sa, as you need to upload
the full sources to security-master.


I pushed it to the mentors.

BTW according to security tracker wheezy is EOL for that cve, no DSA is released, so I guess you won't
have the ack
https://security-tracker.debian.org/tracker/CVE-2016-5108


The discussion continued after the EOL was mentioned, and Mateusz was
obviously aware of it, thus I assume the RFS he filed was acked in parts of
the discussion that are missing from list archives.

In any case, the patch is simple and works for me.

(well, since there is a patch and an upload ready they might give an exception, but I think
asking before is the right way to deal with this bug)


Right... which is exactly what I'm doing right now :)
Wheezy has been handed off from security to the LTS team.


We haven't heard anything on this RFS for nearly 3 months.
Can you see if there is anythin that you'd like.  For example, I don't
see a DLA enrty in dla-needed for VLC (nor I'd expect one considering
VLC is not declared as support iirc).
Anyway I suppose that a one-shot update can't really harm anybody.


--
 .''`.  Mateusz Łukasik
: :' :  http://mati75.eu
`. `'   Debian Member - mati75@linuxmint.pl
  `-    GPG: D93B 0C12 C8D0 4D7A AFBC  FA27 CCD9 1D61 11A0 6851

Reply to:

Follow-Ups:
- Re: Bug#827397: RFS: vlc/2.0.3-5+deb7u3
  - From: Mattia Rizzolo <mattia@debian.org>

References:
- Re: Bug#827397: RFS: vlc/2.0.3-5+deb7u3
  - From: Mattia Rizzolo <mattia@debian.org>

Prev by Date: Re: Wheezy update for qemu ?
Next by Date: Re: Bug#827397: RFS: vlc/2.0.3-5+deb7u3
Previous by thread: Re: Bug#827397: RFS: vlc/2.0.3-5+deb7u3
Next by thread: Re: Bug#827397: RFS: vlc/2.0.3-5+deb7u3
Index(es):
- Date
- Thread