(this mail summarizes the situation for shadow in sarge) Quoting Martin Zobel-Helas (zobel@ftbfs.de): > Hi, > > for those who wonder why their package did not yet hit proposed-updates, > they want to have a look on [1] and [2]. > > The backlog we had is now decreasing, d-i builds should have been > started by now. The shadow package you have pending (4.0.3-31sarge7) must be synced with the security update that's in the hands of the security team. The security team has been provided with a fix for CVE-2006-3378. The diff.gz I provided them is numbered 4.0.3-31sarge6. It DOES NOT include the update related to #356939 which is included in 4.0.3-31sarge7 that's in your hands (SRM team). So, we currently have two updates pending for shadow: -31sarge6 with the CVE-2006-3378 fix, in the hands of the security team -31sarge7 with the fix related to #356939, in the hands of the SRM team Ideally, a version with both fixes should go in proposed-updates as soon as 31sarge6 is accepted by the security team. That version should be numbered 31sarge8. Another option is to build 31sarge6 with BOTH fixes, of course. This "just" needs syncing between the SRM team, the security team and probably the ftpmasters. Given that I'm away for 3 weeks from now, I leave all this in the hands of my co-maintainer, Nicolas François (nekral on IRC). Please get in touch with him for ANY issue related to shadow (please CC me or pkg-shadow-devel@lists.alioth.debian.org). His mail address is CC'ed to this mail and he is mentioned in the package Uploaders. Nicolas may need sponsored uploads as he's not a DD.
Attachment:
signature.asc
Description: Digital signature