Re: spamassassin 3.1.8
Hi Duncan,
On Tue, Feb 13, 2007 at 05:09:44PM -0500, Duncan Findlay wrote:
> SpamAssassin 3.1.8 will be released shortly with a fix for
> CVE-2007-0451, among other changes.
> What I'd like to know is whether I should build a 3.1.7 package with
> the backported security fix, or whether I should upload 3.1.8 to
> unstable and ask that it be propogated to testing. What are the
> guidelines in this area?
> Here's a summary of the changes from 3.1.7 to 3.1.8:
> 3.1.8 is a major bug-fix release, including the following issues:
> - bug 5318: set a maximum internal length for URIs
> - bug 5240: disable perl module usage in update channels unless
> --allowplugins is specified
this one in particular seems like a behavior change that shouldn't be
introduced into etch at this late stage of the freeze.
> - bug 5056: remove Text::Wrap related code due to upstream issues
hmm, also sounds like a risky change during a freeze.
So yes, a backport of the security fix would be appreciated.
> If a backport is needed, do I upload 3.1.8 to unstable and then
> 3.1.7-2 to t-p-u or is it better to upload 3.1.7-2 and wait for it to
> propogate before uploading 3.1.8.
It's better to upload 3.1.7-2 to unstable first and let it propagate to
testing, since the autobuilders (must) give precedence to unstable over
testing-proposed-updates.
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Reply to: