On Wed, Nov 13, 2019 at 08:24:55AM -0500, Roberto C. Sánchez wrote:
> > We usually mark affected CVE as <end-of-life> in data/CVE/list and just
> > add the package to security-support-ended.deb8 in
> > debian-security-support. We then upload new versions of the package
> > periodically and announce it via DLA. I believe now is a good time to do it.
> Thanks for the information. I will start working on it today.
As any DD can commit to debian-security-support.git and also can upload
that package, just make sure to call it a team upload in d/changelog to
appease lintian and possibly other tools.
And then it would be ideal to upload the package to unstable and then
file a SRM bug to update the package in stretch, in addition to
uploading to jessie. (Probably this should also result in a DLA, not
100% sure though. Thoughts & comments definitly welcome.)
I believe it's fine if the version contraints (package version in
unstable higher than testing higher than stable higher than oldstable)
are temporarily not met, but I also believe it's important that they are
in the long run & most of the time.
If doing all this work is too much or tedious to you, please shout and I
will be happy to finish this. Please just do at least the initial
change in git to security-support-ended.deb8.
Thanks!
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Attachment:
signature.asc
Description: PGP signature