[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: freeze exception -- bugzilla3

On Mon, 2010-11-22 at 10:34 +0100, Raphael Bossek wrote:
> thank you for your support. Sorry but I missed your response.
> If 3.6.3 is not accepted for testing -- where these security
> vulnerabilities (http://bugs.debian.org/602420) are solved upstream --
> applying patches to 3.6.2 could be but in consideration. By the way,
> solved some further issues with noninteractive installation
> (piuparts) and missing package dependencies; both issues exists in
> 3.6.2 series of Debian packages.

Every release update since the freeze was announced has mentioned that
uploads to unstable should not include extraneous changes or fixes; a
new upstream release which includes changes which do not fix RC bugs is
fairly clearly likely to end up being viewed as extraneous at this

> I would prefer the 3.6.3 because it's simpler to read the CVE and
> compare the version of the package instead of reading the changelog
> for solved security vulnerabilities.

That approach generally won't work in Debian anyway, as the version
numbers in a stable release won't correspond to those in which upstream
have fixed vulnerabilities in many cases.

> PS: Here the missing diff between the uploaded and testing version of bugzilla.

That's nowhere *near* the diff between the two versions.  The patch you
provided only appears to cover parts of debian/ and is:

 13 files changed, 82 insertions(+), 85 deletions(-)


$ debdiff ftp/pool/main/b/bugzilla/bugzilla_3.6.{2.0-4,3.0-2}.dsc 2>/dev/null | diffstat | tail -n1
 1645 files changed, 80807 insertions(+), 94494 deletions(-)

A lot of that is probably ignorable as it relates to changes in CVS
and .svn{,-base} files and directories (why are those even in the diff?)
but at this stage of the freeze we shouldn't be having to spend
significant amounts of time reviewing diffs where the patches for the
required fixes amount to less than two hundred lines of nett changes.



Reply to: