Re: spamassassin security update in Debian jessie LTS
On Fri, Jan 31, 2020 at 10:01:05PM +0000, Mike Gabriel wrote:
> Hi Ola, Noah,
> On Fr 31 Jan 2020 20:32:01 CET, Ola Lundqvist wrote:
> > Hi
> > Spamassassin (and a few other packages) are handled a little differently
> > compared to most packages in Debian.
> > I'd advise that we go for the latest release. The only reason I see why we
> > would not, would be if we introduce some major backwards compatibility
> > issue.
> > // Ola
> Looking into a 3.4.4-1 backported to jessie (i.e. 3.4.4.-1~deb8u3) right
Please don't (unless, see below). Noah did already outline what is
going to be released for stable and oldstable, the patches are
extracted and applied. He referenced the needed patches.
Now if you are going still the route of backporting 3.4.4 (btw. the
version should be either 3.4.4-0+deb8u1 or if it's most backporting
the version minus packaging changes to be reverted 3.4.4-1~deb8u1),
then please first work on getting 3.4.4 backports in oldstable and
stable accordingly. SRM would need to agree on having those versions
rebased. Otherwise after your release of the DSA we will have that
jessie version of spamassassin is higher than the versions in stretch
Hope this helps.