[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security fix for jquery-jplayer 2.1.0-1

On Sat, 2013-04-27 at 09:12 +0200, Vincent Bernat wrote:
>  ❦ 27 avril 2013 09:01 CEST, "Thijs Kinkhorst" <thijs@debian.org> :
> 
> >> Wheezy contains my package jquery-jplayer 2.1.0-1, which is affected by a
> >> few security issues which have been recently fixed upstream. One of the
> >> issues is CVE-2013-1942. Two other issues, although important, did not get
> >> a CVE number.
[...]
> >  * Convert to source format 3.0 (quilt) to apply the patches that carry the
> >    fixes
[...]
> Not in the release team either but I disagree that switching to 3.0
> (quilt) is an unacceptable change. This is far more simple than adding a
> patch system in debian/rules and better practice than putting those
> changes in diff.gz.

Adding a patch system at this stage isn't really appropriate either, I'm
afraid. One middle ground that's been used in some other packages is to
apply the patch directly but also add a copy of the patch to the source
package (possibly in an otherwise unused debian/patches directory).

Regards,

Adam
Reply to: