On Tue, Sep 13, 2016 at 03:14:41PM +0200, Markus Koschany wrote: > On 13.09.2016 15:00, Diego Biurrun wrote: > > On Mon, Sep 12, 2016 at 12:52:32PM +0200, Hugo Lefeuvre wrote: > >>> I'm counting 22 open CVEs for libav at the moment. Which of them do you > >>> intend to address with your fixes? Do you mind working together with > >>> Hugo Lefeuvre on some issues? I could imagine you both could pool your > >>> resources together. > >> > >> (24 if we count the two issues marked no-dsa by the security team) > >> > >> Some CVE triage: > >> > >> Upstream patch applies directly, or almost: > >> CVE-2015-5479 > >> > >> Upstream patch needs some (heavy) adaptations: > >> CVE-2015-1872 > > > > I have already pushed fixes for these two CVEs to the 0.8 branch in > > July. I think I notified you, not sure if you put out a new Debian > > release that includes the fixes. > > I assume by 0.8 branch you are referring to the upstream repository. I'm referring to the 0.8 branch in the official Libav repository: https://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.8 > I think it would be easier if you sent the patches to this list or you > created a new git repository based on Debian's version in Wheezy with > your patches applied. This would simplify the process to review your work. > > I think you are in the best position to determine what patches should go > into a new security release. In general we want to fix all open issues. > We don't necessarily need to fix all at once but having to do several > small releases, which might be disruptive for users, should be avoided > if possible. What's the problem with cooperating through the upstream repository? You can grab all patches from there, they apply directly to the packaged sources as well. I also plan to make a new 0.8 release once enough fixes have accumulated. You can use that as base for your next Debian release. > In short we need: > > a) the single patches rebased against the current version in Wheezy or a > Git repository for the same purpose https://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.8 > b) a concrete statement what patches and how many should go into the > next security update All commits in the above branch, which will also appear in the next 0.8 release. > c) a deadline > > Provided we can clarify a) and b) soon, would it be doable to release a > new security update at the end of September? The end of September sounds good to me, I can roll a new release then. > P.S.: Sending mails to the list should be sufficient because every team > member is subscribed to it. OK, only sending to the list now. Diego
Attachment:
signature.asc
Description: Digital signature