[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Advice for DLA needed entry

Hi Adrian

Thank you for this clarification. I obviously misread your note. I clarified it a little bit so maybe someone else does not make the same mistake as I did.
I removed my own note asking whether the package should be removed from this file or not.

I do not have a good solution to how we should handle this package in dla-needed.
If we keep it in dla-needed we will constantly have people like me who think that something should be done when it is not claimed. If we do not add it to the dla-needed file we may get someone triaging it and add it again, and then people do not know that you have already semi-claimed it already.
Should we write your name on the claim (because you do in practice have it claimed, but the problem here is that it will be a long claim, but that is not an issue if you keep adding notes) or should we write a fake claim like [semi-claimed pending buster backport] as claim name?

Cheers

// Ola

On Thu, 31 Dec 2020 at 11:06, Adrian Bunk <bunk@debian.org> wrote:
On Wed, Dec 30, 2020 at 11:33:12PM +0100, Ola Lundqvist wrote:
> Hi
>
> Today I worked some on wireshark and concluded that all CVEs were postponed
> for buster. So I did some research to check if they were applicable to
> stretch as well and added quite a few notes about this in the tracker.

The fixes for the 2 new CVEs are trivial to backport,
I'll update my buster-pu request.

> Now to my question. Should wireshark now be in dla-needed.txt?

  NOTE: 20201129: buster-pu in #975932, will backport when in buster (bunk)

What alternative would you suggest to inform other LTS contributors that
14 CVEs were already fixed and why the upload to stretch is pending?

>...
> Or should we even be before in LTS?

Shipping a higher versioned package in oldstable than what is in
stable is problematic, versioning would have to be something like
2.6.8-1.1~really2.6.20

But there is no need to hurry when nothing is considered serious enough
for a DSA.

> Cheers
>
> // Ola

cu
Adrian



--
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to: