Hi Markus, Thank you for clarifying the situation. On 2019-12-23 18:24:08, Markus Koschany wrote:
Hello Niels, Am 23.12.19 um 15:04 schrieb DebBug:Anyone to chime in? Craig? Markus?There is a bit of confusion here, so I try to explain the situation and how we should proceed. Thank you for filing bug report #947212 to track the security issues in Wordpress. This will help to answer those questions raised by Adam. However there was already #946905 that you could have been used as well.
Must have missed that one.
You have only recently added me to CC, presumably because I have done
IIRC, Craig added you initially, FWIW.
I yet ignore how the process continues, whether Craig will upload the updated package or someone else. And when.some security uploads in the past for Wordpress. I don't know what you have discussed with Craig and if he wants to review your work and sponsor it later. Then you actually don't need to open a sponsorship request on debian-mentors.
OK. From my perspective, regarding the wordpress issue and being responsible for maintenance of a number of exposed instances, it is *critical* security releases get integrated on short terms' notice. As explained, system and data is at elevated risk in the particular case of wordpress having a considerable share of worldwide CMS instances. This also entails liability in case of data loss and/or successful exploitation of local and/or remote resources. In terms of legal obligation of care of user data, customer data and systems as well as in terms of GDPR. This direct consequence is driving a severity "critical". It is also the reason for my providing an updated debian wordpress package for NMU. I prefer debian packages over upstream packaging and if I'm packaging deb package updates locally I might as well let others profit from it.Sponsorship requests are either of severity normal or important. Here it would be ok to use important but the severity is merely an indicator and it doesn't automatically guarantee that a bug is prioritized. Security related bugs like #947212/#946905 are either of severity important or grave.
Version 5.3.2 seems to fix a couple of security vulnerabilities. No CVE has been assigned yet. This version should be uploaded to unstable.
My intention.
Not so much my intention. Basically, not at all, for now. I'm depending on the latest upstream releases so I'm sticking with unstable wordpress packages.If you want to fix Wordpress in Buster and Stretch as well, then you have to go a different route. The security team is responsible for that. As previously discussed I recommend to base security updates on upstream releases for specific Wordpress branches. https://wordpress.org/download/releases/ Buster should be updated to version 5.0.8 and Stretch to 4.7.16. In both cases you would base your work on the Wordpress packages in Buster and Stretch. The changes to the debian files should be minimal, you would merely rebase existing patches and repack the tarball to make it compliant with the DFSG.
Well, as detailed above, those delays -- for this particular package -- are inacceptable, at least for me. At that, it's on top of the delay from the point in time upstream released to bug reported. Is there a way to speed up this whole process for future releases? Sure, I locally feed the updated packages to archive mirrors, although I'd prefer not preempting debian package releases.In short: Version 5.3.2 -> unstable Did Craig agree with the upload? If there is simply no response because of the holiday season we could do a NMU with a delay of 5 to 10 days. I assume you haven't made any major changes to the package.
After that: Version 5.0.8 -> buster-security Version 4.7.16 -> stretch-security You can already prepare the packages, then we contact the security team and ask for approval.
For the time being, I am time-constraint on provision for unstable.
Regards, Markus
Thanks again for your explanation and efforts. Have a nice holiday. Cheers Nils
Attachment:
signature.asc
Description: PGP signature