[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible clashing of work


Am 01.07.20 um 17:50 schrieb Utkarsh Gupta:
> Right now, this package has been claimed in dla-needed.txt by Markus
> and in dsa-needed.txt by jmm.
> Although I think jmm is working on Stretch and Markus is working on
> Jessie. But to be very explicit (since explicit is better than
> implicit :)), I am going to move the package from dla-needed.txt to
> ela-needed.txt (since it's listed in packages-to-support and since
> Jessie is now ELTS!).
> This will indeed make sure that there is no clash of work.
> Please shout back if I should not.

Thanks for being proactive. Actually I am working on Jessie and Stretch.
Imagemagick in oldstable has never received any attention from the
maintainers, thus I wonder why this is the case now when the switch to
LTS is imminent. There are 60 open or ignored CVE in Stretch. Do the
maintainers of imagemagick intend to fix them all?

> 2. squid3/oldstable
> Right now, this package has been claimed in dla-needed.txt by Markus
> and by no one in dsa-needed.txt.
> Now, this is an interesting part.
> squid3 is not supported in Jessie ELTS. So we just want to fix it for
> Stretch. This means that it'd be very nice if Markus can work on
> oldstable DSA instead.
> This also means that I am considering to drop it from dla-needed
> (because it doesn't make sense to have it there anymore!?).
> Please really should back if I should not.

The update is ready. There is a new CVE, CVE-2020-15049, but it can be
postponed for now. That should not stall the release. I wanted to send
an request for testing to debian-lts due to the many changes in the code
base. The same version can be used for Jessie and Stretch. I would keep
squid3 in dla-needed.txt since the update is relevant for Stretch.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: