On 2019-01-29 11:53, Dirk Eddelbuettel wrote:
This is a follow-up to the discussion in #919324 and subsequent emails with Moritz and Salvatore. The two CVEs are genuine and fixed, the issue howeveris no a full-blown denial-of-service etc so Moritz suggested a normal security upload. The debdiff is included below, with the distribution changed from stretch-security to just stretch.Happy to upload once you give a green light. (System information remove as Itype this on Ubuntu 18.10 ...)
Apparently it was already uploaded.patches/updated-upstream-changes | 2699 +++++++++++++++++++++++++++++++++++++++
Aside from being big enough to be non-trivial to review, the filename of that patch isn't ideal. If there are other upstream changes that need incorporating in future, are you simply planning on appending to that patch, rather than having separate patches for specific purposes?
I noticed that your changelog includes a Closes: for this bug. Please don't do that. Bugs against release.d.o for stable updates get closed by us once the package is actually in stable (i.e. after a point release which includes the update has been released); uploading the package is some way from the end of the process of the fix being available for end users.
Regards, Adam