Hi Andrew, [Please use reportbug next time as bugs are easier to track]. On 14-02-2019 08:45, Andrew Lee wrote: > We have open-build-service 2.9.4-1 uploaded last week. It used to needs > 2 days to goes into Buster due to it contains a various CVE fixes. That urgency was not really warranted as open-build-service is not in buster. It would have been good to mention that fact too. Also, these CVE's are known for months. > However it got blocked by two of it's build-deps: ruby-clockwork and > ruby-jquery-ui-rails which we already fixed but needs more days to > migrate after these two ruby packages. Both of which are also not in buster. So you are requesting an exception for all three. > And there is a bug fixes upstream release 2.9.5 available. We better > have this version in Buster to make CVE fixes backports earlier later. > > Would you consider allowing the freeze exception for 2.9.4-1 that's > already uploaded or also allowing we to have 2.9.5 release in Buster? Why did you only fix this so late in the cycle? If the history I see is correct, open-build-service has been out of testing since 2018-04-26. Did you really have to wait until we were into the soft-freeze? So we are missing the picture that tells us why you are so late. Can you elaborate? Paul
Attachment:
signature.asc
Description: OpenPGP digital signature