On Sun, Jun 23, 2019 at 12:09:13PM +0200, Paul Gevers wrote: > Technically, you're already too late, the package will only be 2 of 5 > days old on Tuesday 13:00 UTC. But I have much worse concerns, see below. > It's all up to the release team's decision, right? We already miss docker from last release, and it won't be worse if it is missed from this release as well. But FRT, this time there are maintainers who care it and want to volunteer their time. > > + * Non-maintainer upload. > > This I worries me. "Apparently" Arnaud didn't consider it appropriate to There's nothing wrong in the procedure. Fixing RC bug and no maintainer activity on the bug for 7 days, it's 0 day. I have CCed the maintainers, and "apparently" there's no disagreement afterwards. > upload the patch and I don't see an ACK from any of the maintainers. In > my opinion, trying to save docker.io for buster isn't appropriate via a > non-ACKed change so terribly late. Do the maintainers agree with this > approach? > > > + [ Arnaud Rebillout ] > > + * Add patch for CVE-2018-15664 (Closes: #929662). > > On top of that, I worry quite a bit that by disabling that test in the > upstream patch, you are hiding a real problem. If it is possible from > within the docker container to crash the host, that's a severe issue. > Can you take away my worries? > All code could have bug, it includes the test code. If you find a serious bug for this version, please file a bug, then it could prevent docker.io to migrate. But FTR again, I didn't blindly upload the patch. I do test, like running the result binary, and the affected command. And more importantly, the newly added code, didn't break any existing test cases. -- Shengjing Zhu
Attachment:
signature.asc
Description: PGP signature