Re: Possible clashing of work

[Utkarsh Gupta <utkarsh@debian.org>]

Hi Markus,

On Wed, Jul 1, 2020 at 10:00 PM Markus Koschany <apo@debian.org> wrote:
> > 1. imagemagick/oldstable
> > Please shout back if I should not.
> Thanks for being proactive. Actually I am working on Jessie and Stretch.

Great!
Since ImageMagick warrants a DSA for Stretch, I am going to drop it
from dla-needed.
And simultaneously add it to ela-needed (for Jessie) and assign it to
you (as you're working on it).

> Imagemagick in oldstable has never received any attention from the
> maintainers, thus I wonder why this is the case now when the switch to
> LTS is imminent. There are 60 open or ignored CVE in Stretch. Do the
> maintainers of imagemagick intend to fix them all?

It seems that it has been over a year since any of the maintainers did
an upload.
So I don't know. Perhaps I'll leave it for the Security team to answer that.

> > 2. squid3/oldstable
> > Please really should back if I should not.
> The update is ready. There is a new CVE, CVE-2020-15049, but it can be
> postponed for now. That should not stall the release. I wanted to send
> an request for testing to debian-lts due to the many changes in the code
> base. The same version can be used for Jessie and Stretch. I would keep
> squid3 in dla-needed.txt since the update is relevant for Stretch.

But it would make no sense to keep it in dla-needed.txt (which is for
Stretch now!) since squid3 is already in dsa-needed.
It'd just make things weird since keeping in dla-needed means you want
to issue a DLA for Stretch and having it in dsa-needed means there'll
be a DSA for the same thing.

So I propose it to drop it dla-needed instead!?

Let me know what you think.


Best,
Utkarsh