(removing Jonathan specifically; the debian-release ML should be sufficient as this is for the release team generally now) On Mon, Dec 14, 2015 at 05:45:24PM +0000, Robie Basak wrote:Can I ask that this request (for the release team to make a decision between the choices I outlined[1]) be tabled again at the IRC meeting I understand will be taking place this Wednesday? Please let me know if there's anything I can do to help you make a decision on this.Following up, here's a summary of the outcome from the meeting yesterday. There is also a full log[1] and the previous meeting[2] from 23 September is also relevant.
Thanks for attending the meeting and for the summary, Robie! Like you, I'm on vacation and have little opportunity to handle this until January. But I thought I'd throw in a request for a bit more information on one of the points:
20:12:56 <pochu> 2- no disclosure of security issues w/ patches
I know we are a bit tight with info about security issues upstream, but all security bugfixes are available at https://github.com/mysql/mysql-server as individual commits, and a list of CVEs fixed is reported quarterly according to a published schedule. Apparently that's not enough.
I fix the occasional security bug myself, but in the day to day work, I'm not involved in handling CVEs etc., so I need some more details about what Debian thinks is missing. It's hard for me to start a good discussion upstream without fully understanding the issue. Can someone (e.g., the security team?) please explain to me exactly what's requested and how you're expecting to use the information? Can Debian handle information given under NDA, or must all security bug info be public? When I understand the problem, I can pull together the right people upstream and see what we can do to fix it.
Merry Christmas, Norvald H. Ryeng