Re: DD Ping: Review of Tomb for CVE-2020-28638

[Samuel Henrique <samueloph@debian.org>]

Hello Sven,

I prepared fixed versions of tomb for unstable [1], 2.7+dfsg2-2, and
buster-backports [2], 2.7+dfsg2-2~bpo10+1. Please review these. I added
myself as uploader, so feel free to provide upload permissions to me.

Nice, upload sponsored and I just sent the dcut command to give you upload permissions.

If you haven't yet asked to be added to the backports ACL, you can do so by following this link's instructions:
https://backports.debian.org/Contribute/

In the meantime, I'm happy to sponsor the backports upload as well, ping me when the package has reached testing.

 

Regarding buster I assume I should provide a 2.5+dfsg1-3 on a
debian/buster branch in the repository. I would only add the security
fix, nothing else. Is this the way to go?

That's correct, you should branch from the last buster upload. Please note that you must follow a different process for stable uploads, assuming this will be a buster-updates upload (and not buster-security, which is fine by me), these are the instructions:
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#special-case-uploads-to-the-stable-and-oldstable-distributions

Basically, you create a bug against release.debian.org and wait for the ACK for the upload (freel free to CC me). I suggest taking a look at the current open bugs to look for examples.

Thanks for your work :)

--

Samuel Henrique <samueloph>