Unblock request for mantis and request for comments

To: debian-release@lists.debian.org
Subject: Unblock request for mantis and request for comments
From: Patrick Schoenfeld <schoenfeld@in-medias-res.com>
Date: Mon, 20 Oct 2008 21:35:31 +0200
Message-id: <20081020193531.GA5422@maggie.local>

Hi,

thanks for hinting the last uploads into lenny w/o me requesting it.
This time I don't want to miss asking for unblock. Because of security
issue #502728, I've prepared an update to the mantis package.
Unfortunately the took me two uploads (because a bug introduced by the
patch slipped through my testing :/) so the version to be unblocked
would be 1.1.2+dfsg-8.

Changelogs:
 mantis (1.1.2+dfsg-8) unstable; urgency=high
 .
   * Urgency high because it is an update for a security issue
     which was patched in the last upload.
   * Updated the patch for the remote code execution vulnerability to
     avoid possible regressions that might be caused by the wrong
     implementation in the first patch.

mantis (1.1.2+dfsg-7) unstable; urgency=high
 .
   * Urgency high because it fixes a security issue
   * Added a fix for remote code execution vulnerability that can be triggered
     by registered users (Closes: #502728)

Apart from this I'd like to ask about the release teams opinion:
Upstream prepared a new upstram release a few days ago. Its a bugfix only
release. It does not include new features, but the changeset is still
rather intrusive, because they refined the implementation of form
security tokens. Because of the large changes regressions are likely and
so they already released a bugfix-for-the-bugfix-release and one or two
releases are likely to follow. Otherwise the current release makes a
good and mature impression.
I'm quiet convinced that lenny users would benefit a lot from the next
release (which will happen in a few days). Also it could make the work
for the security team possibly a little bit easier.
On the other hand we are in deep freeze now and I'd usually like to
avoid introducing large changesets into Lenny. But then again (given the
current state of the release process) the package could get some more
testing in Unstable before migrating and there are no reverse-depends
for mantis. So the risk of including a totally untested package can be
avoided and apart from this the package wouldn't be a risk for other
packages.

I'm indecisive, but after all it isn't my opinion that counts. So my
question is: Whats the release teams opinion?

Best Regards,
Patrick

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: post-upload unblock for xserver-xorg-{video-intel,input-vmmouse}
Next by Date: Please consider loudmouth 1.4.2-2
Previous by thread: Re: Please don't unblock ipmasq 4.0.8-6
Next by thread: Please consider loudmouth 1.4.2-2
Index(es):
- Date
- Thread