Re: spamassassin 3.1.8

[Steve Langasek <vorlon@debian.org>]

Hi Duncan,

On Tue, Feb 13, 2007 at 05:09:44PM -0500, Duncan Findlay wrote:
> SpamAssassin 3.1.8 will be released shortly with a fix for
> CVE-2007-0451, among other changes.

> What I'd like to know is whether I should build a 3.1.7 package with
> the backported security fix, or whether I should upload 3.1.8 to
> unstable and ask that it be propogated to testing. What are the
> guidelines in this area?

> Here's a summary of the changes from 3.1.7 to 3.1.8:

> 3.1.8 is a major bug-fix release, including the following issues:

> - bug 5318: set a maximum internal length for URIs
> - bug 5240: disable perl module usage in update channels unless
>   --allowplugins is specified

this one in particular seems like a behavior change that shouldn't be
introduced into etch at this late stage of the freeze.

> - bug 5056: remove Text::Wrap related code due to upstream issues

hmm, also sounds like a risky change during a freeze.

So yes, a backport of the security fix would be appreciated.

> If a backport is needed, do I upload 3.1.8 to unstable and then
> 3.1.7-2 to t-p-u or is it better to upload 3.1.7-2 and wait for it to
> propogate before uploading 3.1.8.

It's better to upload 3.1.7-2 to unstable first and let it propagate to
testing, since the autobuilders (must) give precedence to unstable over
testing-proposed-updates.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/