On 2013-05-10 7:00, Thomas Goirand wrote:
On Fri May 10 2013 01:25:04 PM CST, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:On Fri, 2013-05-10 at 13:19 +0800, Thomas Goirand wrote: > On Fri May 10 2013 01:05:55 PM CST, Adam D. Barratt > <adam@adam-barratt.org.uk> wrote:> > Was this upload discussed with anyone on the release team beforehand?> > With the release team no, with the security team, > yes (with Luciano). The security team aren't responsible for the management of proposed-updates; they can tell you that they're not planning onhandling an issue via a DSA, but that just means that you should followthe usual procedure for a stable update.Thanks for your very fast reply. Hum... I am confused now...
It would appear so, yes. :(
In the past, I have uploaded some security updates through stable-proposed-updates. Are you saying that this is the wrong thing to do?
If the security team have indicated that they don't plan on issuing a DSA to cover an issue and you've discussed it with the release team and had the upload acked, it's entirely the right thing to do.
If so, you should IMO discuss that with the security team,
I'm fairly sure the security team are quite clear on the procedure here (although it might be helpful if when asking people to go via p-u rather than security they emphasised that this is not an okay to upload to p-u).
as it seemed to me that this was part of the procedure so that they could check for the upload before moving it to security.d.o.
No. Packages _do not_ move from p-u to security.When packages are issued via security.d.o they are later copied to p-u. There is no movement in the order direction. If the security team want to check things they'll ask for diffs or ask you to upload to security.d.o.
I do beleive that a DSA is planned (and if it not, then we should).
The issue is marked in the security tracker as "no-dsa", which certainly indicates one isn't planned.
Regards, Adam