Control: tags -1 moreinfo Hi Thomas, On 21-04-2021 22:33, Thomas Goirand wrote: > I've uploaded version 14.2.20-2 of Ceph. This is the last point release > from usptream, including the fixes for CVE-2021-20288 and CVE-2020-27839. > > With such large software such as Ceph, the debdiff can be quite big. > This unfortunately is no exception. I understand that the rule is that > the release team insist reviewing all changes. That's clearly not > possible considering the debdiff size. However, I don't think it is > reasonable to not include point release fixes from upstream, just like > we do with other large software in Debian. I intend to keep Ceph 14.2.x > updated during the lifetime of Bullseye, following upstream updates, > hopefully you will agree that this is the sensitive thing to do. As I have no clue what Ceph is and how their releases work, to make this acceptable you'll have to elaborate on why a new upstream release complies with our freeze policy. Please look at the questions in our FAQ [1], section "I want to add a new upstream release, is that possible?" We don't *just* accept new upstreams for "other large software", we still need to judge somehow (even more so if we can't reasonably do that by manual inspection of the diff) that that's appropriate. > I've uploaded the debdiff here: > http://shade.infomaniak.ch/ceph_14.2.20-2.debdiff That URL gives a 404. Please attach it to this bug for future reference (yes, it may not make it to the list, but then the bts has it). Paul [1] https://release.debian.org/bullseye/FAQ.html
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature