[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wheezy update for libav

On 13.09.2016 16:48, Diego Biurrun wrote:
> On Tue, Sep 13, 2016 at 03:14:41PM +0200, Markus Koschany wrote:
>> In short we need:
>> a) the single patches rebased against the current version in Wheezy or a
>> Git repository for the same purpose
> https://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.8
>> b) a concrete statement what patches and how many should go into the
>> next security update
> All commits in the above branch, which will also appear in the next 0.8
> release.

When I click on the above link it is not clear to me which commit fixes
a specific CVE. Just to understand what I'm aiming at, in Debian we use
quilt patches that are applied on top of the upstream release. We have a
clear distinction between upstream source and Debian specific changes. I
would prefer one patch per issue that corresponds to exactly one CVE or
clear instructions which commits fix which CVE. But I guess I will leave
this to Hugo now.

>> c) a deadline
>> Provided we can clarify a) and b) soon, would it be doable to release a
>> new security update at the end of September?
> The end of September sounds good to me, I can roll a new release then.

Just to be clear a new upstream libav doesn't need to coincide with a
Debian security update. It wouldn't do any harm though. Important is
that we only fix security related issues and leave possible features out
that are not strictly needed to fix the CVEs.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: