Re: security fix dependency
Laszlo 'GCS' Boszormenyi <gcs@lsc.hu> writes:
> Dear Mentors,
>
> I have a seemingly stupid question. Say I am not a DD yet, and has a
> security bug in a package I help maintaining. Upstream fixed it, so the
> package is ready, but upstream requires new library version from a
> dependency than the current Debian version. Asked the library maintainer
> recently to upgrade his package, but no answer yet. As the lib is small,
> and it's new upstream version contains only bugfixes, I have packaged
> it, based on the original maintainer's package. My questions:
> - would it be wise to upload the lib to a delayed queue and note the
> maintainer or not?
What other choice do you have? The security bug has to be fixed.
But if the new library only contains bugfixes then the old binary
should exhibit the same bugs and the new binary should compile with
the old lib just as well (but still have those bugs).
There must be more changes than just bug fixes. Api/Abi changes? That
could require a new soname.
> - how should I change the version numbering? If I use the new upstream
> version, then lintian correctly see that as I am not in the Uploaders
> field, the packaging is an NMU but with wrong version number...
Something like
1.2-3.1.realy.1.3
or
1.3-0.1
> Thanks,
> Laszlo/GCS
MfG
Goswin
Reply to: