Re: Security fix for jquery-jplayer 2.1.0-1
* Adam D. Barratt <adam@adam-barratt.org.uk> [130428 21:24]:
> >From the page in question:
>
> <quote>
> Rule #1. In all cases, when preparing an upload, please do not make
> changes to the package that are not related to fixing the bugs in
> question. As a non-exhaustive list, this implies not:
>
> Changing source format
> Changing patch systems
> </quote>
>
> That text has been there since November.
Yes, I read that and I'm very surprised what it is supposed to meant.
> > A change from 1.0 with no upstream modifications to 1.0 with modifications
> > is about as big as the change to to 3.0 (quilt).
> > So I'm quite suprised as well that someone could read those rules in a
> > way to forbid using 3.0 to add the first patch to a package.
>
> Changing to 3.0 (quilt) is "changing source format", so I'm not sure how
> they can be read as /not/ forbidding doing so in a package which was
> previously 1.0.
If there is a fire exit that says "Entering forbidden. Open only in
emergency." then I suppose that in emergency one might not only open it
but also use it, though the text does explicitely forbid entering.
A package that had previously not changes to the upstream code being
transformed to something with changes in a 1.0 diff is a change, is hard
to review and means any future security uploads will even be more so.
While a change to 3.0 has hardly any effects in this case (opposed to
a change from something with already some patch manager or something
that otherwise has already changes).
So I'd never have guessed your interpretation. Which is why I suggest
to improve it.
Bernhard R. Link
Reply to: