Re: Your "acpid" stable upload
[Cc += team@security]
On Wed, 2012-05-02 at 11:26 +0200, Michael Meskes wrote:
> > I noticed that you've uploaded an "acpid" package to proposed-updates.
> > Was this discussed with anyone on the release team beforehand?
>
> Yeah with Zobel. Come to think of it, he's no longer a stable release manager,
> is he?
Not for a few years now, no. :-)
> Sorry for the fuzz guys. Feel free to reject the upload. My bad, I
> hurried the upload after seeing the announcement of the next point release.
No worries. I had a suspicion that might have been the case... fwiw
there's a pointer to the relevant dev-ref section in the bug log.
"reportbug release.debian.org" works quite well too :-)
[...]
> The security team did a release fixing two bugs. One was in an example script,
> the other one unfortunately wasn't done right. So right now we have an acpid
> package that doesn't work correctly.
>
> After the bug report showed the problem I asked them to release a new version
> but they refused and pointed me to the next point release, which is why I
> uploaded that package yesterday.
On the whole, regressions introduced via the security archive are
generally fixed via the security archive. Looking at the DSA in which
the code in question is released, I guess it's part of the fix for
CVE-2011-1159? If so then indeed local DOSes tend to be treated as
issues which the security team don't address via DSAs, at least not
unless they're bundled with other fixes.
team@security, could you confirm the above is correct and also that
there aren't any plans for a fix for the issue via the security archive
in the near future?
Regards,
Adam
Reply to: