[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: spamassassin security update in Debian jessie LTS

Hi Salvatore, hi Noah,

On  Sa 01 Feb 2020 14:01:36 CET, Salvatore Bonaccorso wrote:

Hi Mike,

On Fri, Jan 31, 2020 at 10:01:05PM +0000, Mike Gabriel wrote:
Hi Ola, Noah,

On  Fr 31 Jan 2020 20:32:01 CET, Ola Lundqvist wrote:

> Hi
> Spamassassin (and a few other packages) are handled a little differently
> compared to most packages in Debian.
> I'd advise that we go for the latest release. The only reason I see why we
> would not, would be if we introduce some major backwards compatibility
> issue.
> // Ola

Looking into a 3.4.4-1 backported to jessie (i.e. 3.4.4.-1~deb8u3) right

Please don't (unless, see below). Noah did already outline what is
going to be released for stable and oldstable, the patches are
extracted and applied. He referenced the needed patches.

Now if you are going still the route of backporting 3.4.4 (btw. the
version should be either 3.4.4-0+deb8u1 or if it's most backporting
the version minus packaging changes to be reverted 3.4.4-1~deb8u1),
then please first work on getting 3.4.4 backports in oldstable and
stable accordingly. SRM would need to agree on having those versions
rebased. Otherwise after your release of the DSA we will have that
jessie version of spamassassin is higher than the versions in stretch
and buster.

Hope this helps.


Salvatore, thanks for your feedback on this. You are right.

First, I, by now, have a spamassassin 3.4.4-1<deb8uX-suffix> that builds and works on jessie (and should similarly build and work on stretch/buster, with some minor DH related changes required).

I get the point about the need of having 3.4.4 in stretch/buster before shipping it in jessie. Acknowledged.

So, I'd like to play the ball back to Noah. Do you think, that applying the security patches is sufficient for spamassassin in stretch/buster? Or have their been so many other fixes(TM) that justify an upstream backport to jessie/stretch/buster.

Esp. I am thinking about future compatibilitiy with (upstream'ish) ruleset updates when those are performed on a Debian (old(old))stable system using sa-update.

For jessie, I will follow what Noah will be doing in stretch+buster, then. Valid point. Thanks for bringing it up again, Salvatore.


c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgp5QCINRcwOS.pgp
Description: Digitale PGP-Signatur

Reply to: