On Mon, Feb 9, 2015 at 1:16 PM, Salvatore Bonaccorso <carnil@debian.org> wrote: > Hi Joe, > > Not member of the release team here, so not authoritative ;-). So just > giving some comments. Btw, thanks for preparing the package! Thanks for your helpful comments. I have no idea what I'm doing as far as Debian standards go, so your reply is much appreciated. >> +libfcgi (2.4.0-8.2) wheezy-security; urgency=high > > The version should be 2.4.0-8.1+deb7u1. 2.4.0-8.2 cannot be used as > 2.4.0-8.2 was already in the archive. For the s-t-u wheezy-security as > distribution needs to be changed to wheezy. fixed both of these, see attached debdiff. Wasn't sure what to set the urgency to, so I set it to low. >> + * Non-maintainer upload. >> + * Apply path from Anton Kortunov to swap select with poll to avoid >> + stack smashing (See: #681591 and LP: #933417). > > could you please reference as well the CVE in the changelog, and close > the bug: you can use "Closes: #681591" to reach this. fixed both of these, as well. > Joe, if you get an ack from the release team on your upload for > libfcgi I can happily sponsor the upload itself. How do I go about doing that? Is there a separate email list I need to ping? I don't have a GPG key that is connected to Debian in any way. I can create a key and upload it to the MIT pgp server. Is that useful at all for the upload of my changes file? Not sure if signing with my key will help or just complicate things further. From what I read, I was under the impression that changes without signatures from GPG keys in the web of trust are not processed in the upload queue. Joe
Attachment:
libfcgi_2.4.0-8.1_2.4.0-8.1+deb7u1.diff.gz
Description: GNU Zip compressed data