[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fixing minor/unimportant issues via DLA on demand

Hi,

On 20/03/2020 18:04, Utkarsh Gupta wrote:
> On Fri, Mar 20, 2020 at 5:33 PM Sylvain Beucler <beuc@beuc.net> wrote:
>> These are 2 cases (request from Jessie user or from maintainer) that I
>> yet to see :)
>> Do you have a specific case in mind?
> I do. But I am not very sure if I should mention the user thingy
> publicly or not.

We can discuss the specific vulnerability. Otherwise I would stick to
the minor/unimportant guidelines from my previous mail (i.e. from
https://security-team.debian.org/security_tracker.html).

If a user requires a minor/unimportant fix though, that may mean that
the bug was incorrectly categorized and could be re-evaluated with
additional input in data/CVE/list.

> Anyway, the other case (where the maintainer wants to fix) is phpmyadmin.
> Of course, he being the upstream and downstream maintainer, wanted to
> fix this in Jessie.
Hmm, I'm curious. What vulnerability would he like to fix that we
didn't? This may mean we should have.
> And I am happy to help in such cases, because why not?
> Just curious, if such a case happens, should I/we issue a DLA or not?
Any DD can directly update Jessie following:
https://wiki.debian.org/LTS/Development
with no additional privileges (that's what postgresql's maintainer does).

You can certainly send a DLA on behalf of the uploader, if they don't
want to do it.

Cheers!
Sylvain
Reply to: