Hi Salvatore,
> I would say it depends a bit, I would say. It might be clear, but just
> to be on safe side stating it here: the CVEs fixed for clamav are not
> to be associated with those rebuild packages as well.
>
> I was thinking if I remember similar cases for DSAs. Let me see, on
> top of the head I do not recall actually much such special cases. Only
> two I remembered and looked up, there might be more!
>
> DSA-3433-1 was a case where we needed an update for ldb first, and
> then a rebuild of samba as well with that version in place. So not
> really exactly what you have here.
>
> CVE-2013-7439 was another case, more similar to the one which is to be
> handled by you. As the list there was too long, we decided back then
> to put the list in the tracker, this is not very optimal though. If
> you have only those couple of rebuilds, then you simply can state this
> in the DLA for clamav, that package x, y and z are to be rebuild for
> the ABI changes.
>
> Of course you can decide to release single DLAs for the 'package
> update due to the need of rebuild', but I guess it should be made
> clear then in the text of the DLA that they are just needed due to the
> ABI change in clamav.
Thanks for these advices. Indeed, releasing security advisories for
rebuilds (which are, in the end, non-security related issues) doesn't sound
right.
Releasing a single DLA similar to dsa-3224 is probably the best option, and
instead of pointing to the tracker I would just explain the situation and
list the four reverse dependencies.
cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Attachment:
signature.asc
Description: PGP signature