Adam, On 2019-12-21 23:32:57, Adam Borowski wrote:
Control: tags +moreinfo On Sat, Dec 21, 2019 at 11:08:46PM +0100, debbug@Think-Future.com wrote:Severity: criticalIf it's indeed this serious, shouldn't this update go via security channels first?
I guess so. Sounds reasonable. But, you tell me.
On 2019-12-21 22:29:06, DebBug wrote: > Package: sponsorship-requests > Severity: normal > > Dear mentors, > > I am looking for a sponsor for the package "wordpress" > > * Package name : wordpress > Version : 5.3.2+dfsg1-0.1> Changes since the last upload: > > * Non-maintainer upload. > * New upstream releaseSo you're trying to upload merely a new release, rather than a fix for a security bug (which would warrant such expedience). There might be bugfix-only upstream releases (for good upstreams) or hopelessly-tied-with- unrelated-features releases (for bad upstreams), but at the very least you'd need to point to specific reasons to hurry.
First off, I sense a bit of a tone here. I'm feeling accused. Just explain what you think and I'm fine with it.Now, regarding the matter at hand, it occurs to me not everyone is familiar with wordpress: There was a new release upstream in november, two security updates in december but not a single deb pkg update.
For someone conscious about security issues, for a CMS that popular, more than a month down the road, even after security related releases, it's rather a long time without deb updates.
So, it seems this would warrant an update for a new (security) release. I am willing to support the packages' maintainers, to contribute for others to profit from it, because that's the spirit of opensource, right?
So there's the updated package, the sponsored NMU and its RFS. Nocherry-picking fixes for outdated versions' security bugs, as wordpress security fixes are released as is, and I cannot intend on starting to backport bug fixes to outdated versions.
You're asking for reasons.The reasons are obvious. There are flaws in a piece of software, being actively exploited (observedly, even before any SA was out), the software being widely deployed putting users' systems and data at unnecessary and avoidable risk.
Anyone to chime in? Craig? Markus?
But here, you're apparently going with a whole new upstream branch, over the
Latest deb pkg version: 5.2.4 upstream, november 12: 5.3 latest upstream security release, december 18That's the way the wordpress devs handle it, and the previous deb pkg version seems to do the same thing as this NMU.
Frankly, I don't get your point here. It seems to me like: [X] not applicable.
head of the maintainer, who seems to be active -- and all of that without
Woah. Easy. Accusive, again.How do you know, I am "going over the head of the maintainer"? You cannot. Yet, you assume so.
even trying to follow the procedure.
And again.What procedure are _you_ referring to? I'd like to have a read on this. You know, let's keep this on the factual side, this way it may be beneficial to the Debian project. Handling motivated, interested people like this doesn't seem to me as beneficial to the Debian project as it should be. Sadly, as it is, the Debian project as since suffered from exactly this kind of treatment for other people.
Technical expertise and soft skills often seem not to be living under the same tree. We must strive for those virtues to be flatmates.
I am adhering to the procedure for debian package upload sponsorship, NMU, new members doc, new maintainers packaging doc
and probably a couple more. Cheers Nils
Attachment:
signature.asc
Description: PGP signature