Hi Ben, I appreciate your comments, but i think there's a little mix-up with this thread. I'm sure it was my fault, let me explain .. I uploaded a new package release of mantis to mentors to be sponsored. I adopted this package but everything was in the wrong way, then i tried to arrange things step to step. My ITA was accepted by Olivier and Patrick (older maintainers), but this bug wasn't closed yet... i don't want to extend myself, finally i decided to upload a new release with some changes, closing some bugs and changing either the new maintainer info. Then, I send a message to mentors, because "if some one review this new release" may be will don't understand "why i haven't fix a security bug on the newest release".. that's the thread of my conversation with Paul. I have to review more than 3 years of work on this package to understood what happen, that was a great work and it's a pleasure .. but then I found out what was happen with some deprecated files, like prototype .. from older releases, not included in deb package but still living in source tar ball. .... (long story) On my actually status, i just want to do things as better, step by step, i am not actually the official maintainer since it will be upload the newest package, because of that reason I don't want to send nothing to bts to prevent confusions. Followind advices from Paul, I think it best to check out with security team some problems with this package, and establish with them the better solution. I want to understand why this thing happens, to prevent in further versions, and review all source code to clear all possible errors. Then if it's needed i would include some explanation in the next release .. i just want to do as well. I don't want to bother you with this subject, please consider my apologies if i have hindered you. Ben, thanks for all your appreciated help, ever, always, it's appreciated to learn something new. Kind regards, Sils BTW, I wish you a happy new year! Ben Finney wrote: > sils <sils@powered-by-linux.com> writes: > >> Paul Wise wrote: >>>> On Thu, Dec 31, 2009 at 6:41 AM, sils <sils@powered-by-linux.com> wrote: >>>> >>>>>> #555264 was reported from a mass-filing advice, it was about >>>>>> prototypejs vulnerabilities, but it didn't affects to mantis, >>>>>> because prototype.js file is not longer distributed in mantis >>>>>> debian package since version 1.1.2+dfsg-1 (see changelog for >>>>>> more info [0]). > […] > >>>> In that case you can close the bug right now with a versioned -done >> message: >>>> http://www.debian.org/Bugs/Developer#closing >> Thanks, it'll be better than a simple 'done', but i prefer to close >> them when my maintainer status was set with the newest version i >> uploaded to mentors, i suppose it's the right way to do it :-) > > No, it's not the right way to do it. The bug is not fixed by a new > release of the package, so closing the report by that release's > changelog entry is not right. > > Ideally, the release that actually fixed the bug would have closed the > report. But that's not what happened, so the report is now out of date > with reality by your account. > > The bug is *already* resolved, by your account above; it's merely that > the report has not been updated to reflect that fact. You should do that > independent of any new release. >
Attachment:
signature.asc
Description: OpenPGP digital signature