Re: Allow pyrad 1.2-1+deb7u1 into wheezy

[Salvatore Bonaccorso <carnil@debian.org>]

Hi all

On Sun, Feb 17, 2013 at 12:19:00AM +0000, Jonathan Wiltshire wrote:
> On Sun, Feb 17, 2013 at 12:16:32AM +0100, Jeremy Lainé wrote:
> > Dear release team,
> > 
> > Yesterday the following security vulnerability in the "pyrad"
> > package was brought to my attention by Salvatore Bonaccorso:
> > 
> > https://security-tracker.debian.org/tracker/CVE-2013-0294
> > 
> > It is tracked in the following bug:
> > 
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700669
> > 
> > I have uploaded version 1.2-1+deb7u1 targeted at
> > testing-proposed-updates (debdiff attached), as unstable carries a
> > different upstream version. Could you please let this version into
> > wheezy?
> 
> It's traditional to seek approval *before* uploading; more so in this case
> since adding a patch system is a no-no. The change itself is fine, please
> upload with this only. You will have to bump the version number IIRC.

I was involved reporting the problem: I noticed now a possible problem
about the versioning:

Current situation:

 pyrad | 1.2-1        | squeeze    | source
 pyrad | 1.2-1        | wheezy     | source
 pyrad | 1.2-1+deb7u1 | wheezy-p-u | source
 pyrad | 2.0-2        | sid        | source

Assuming there will be also either a DSA or a pu for pyrad, how should
that be versioned? Traditionally for Squeeze it was +squeeze1, but:

1.2-1 <= 1.2-1+deb7u1

but

1.2-1+squeeze1 is not smaller than 1.2-1 or 1.2-1+deb7u1.

Regards,
Salvatore