On 2018-10-21 12:48, Salvatore Bonaccorso wrote:
Hi, On Sun, Oct 21, 2018 at 11:21:36AM +0000, Georg Faerber wrote:Hi, On 18-10-21 12:05:31, Moritz Mühlenhoff wrote: > That's all bugfixes related to enabling Enigmail and nothing in their > is itself security-related, so I think that's something for the point > update, not security.debian.org That's quite unfortunate to hear, and I don't share this opinion (even if this doesn't count in this case, I guess), for reasons outlined in the initial mail by dkg of this bug report in the "fixing enigmail" section.As of now, enigmail, which people use to secure their communication, isbroken, therefore, IMHO, fixing it would be indeed a security fix. I spoke to quite some "end users" during the last weeks about this and heard the problems they've run into; personally, to not further delay this, I would very much appreciate if this could be handled via security.d.o.Some packages can be 'fast-tracked' from proposed-updates before a point release though still via the 'stable-updates' mechanism[1]. It was announced back in [2], and might be an option here if the SRM can be convinced it is needed (a.k.a if Adam gives it's okay here).
An issue is that the gnupg update itself doesn't really qualify for stable-updates any more than it qualifies for stable-security. The changes to gnupg itself are at best security improvements, which isn't justification for forcing all stretch users to install the new version as a matter of urgency - indeed, if the new version of enigmail weren't relying on new functionality no-one would be suggesting pushing gnupg so urgently - nor, I imagine, backporting all of the mentioned features. It's also going to need a d-i sign-off, because gnupg produces a udeb.
As a general note, in case anyone's actually reading this rather than just hitting reply - thank you for your interest, but at this point we really don't need repeated follow-ups telling us how you think this should be handled via the security archive - the Security Team have already indicated that it won't be - or how the Release Team aren't dealing with things quickly enough. I at least struggle for Debian time recently and need to be able to focus on the actual requests. I'm one of the people who wrote the guidelines for stable-updates, so I know what it says and what it means. :-)
Regards, Adam