On 13.09.2016 16:48, Diego Biurrun wrote: > On Tue, Sep 13, 2016 at 03:14:41PM +0200, Markus Koschany wrote: [...] >> In short we need: >> >> a) the single patches rebased against the current version in Wheezy or a >> Git repository for the same purpose > > https://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.8 > >> b) a concrete statement what patches and how many should go into the >> next security update > > All commits in the above branch, which will also appear in the next 0.8 > release. When I click on the above link it is not clear to me which commit fixes a specific CVE. Just to understand what I'm aiming at, in Debian we use quilt patches that are applied on top of the upstream release. We have a clear distinction between upstream source and Debian specific changes. I would prefer one patch per issue that corresponds to exactly one CVE or clear instructions which commits fix which CVE. But I guess I will leave this to Hugo now. >> c) a deadline >> >> Provided we can clarify a) and b) soon, would it be doable to release a >> new security update at the end of September? > > The end of September sounds good to me, I can roll a new release then. Just to be clear a new upstream libav doesn't need to coincide with a Debian security update. It wouldn't do any harm though. Important is that we only fix security related issues and leave possible features out that are not strictly needed to fix the CVEs. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature