Control: tags -1 moreinfo Hi Shengjing, Arnaud, On 22-06-2019 22:14, Shengjing Zhu wrote: > Hi, > > On Tue, Jun 18, 2019 at 10:18:47PM +0200, Paul Gevers wrote: >> I don't like to rush you, but be aware that the time slot to fix this is >> closing. The package needs to be ready to migrate at 2019-06-25 13:00 >> UTC [1]. If the package isn't ready, we'll remove it from buster (fixing >> some headaches for the security team, but a shame nevertheless). >> > > Hope it's still in time... Technically, you're already too late, the package will only be 2 of 5 days old on Tuesday 13:00 UTC. But I have much worse concerns, see below. > + * Non-maintainer upload. This I worries me. Apparently Arnaud didn't consider it appropriate to upload the patch and I don't see an ACK from any of the maintainers. In my opinion, trying to save docker.io for buster isn't appropriate via a non-ACKed change so terribly late. Do the maintainers agree with this approach? > + [ Arnaud Rebillout ] > + * Add patch for CVE-2018-15664 (Closes: #929662). On top of that, I worry quite a bit that by disabling that test in the upstream patch, you are hiding a real problem. If it is possible from within the docker container to crash the host, that's a severe issue. Can you take away my worries? Paul
Attachment:
signature.asc
Description: OpenPGP digital signature