[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1266-1] New gnupg packages fix signature forgery

On Wed, Mar 14, 2007 at 11:43:40AM +0100, Frank Küster wrote:
> Moritz Muehlenhoff <jmm@inutil.org> wrote:

> > For the upcoming stable distribution (etch) these problems have been
> > fixed in version 1.4.6-2.

> However, etch still has 1.4.6-1, and no freeze exception has been
> requested.

But it has been granted.

$ grep-excuses gnupg
gnupg (1.4.6-1 to 1.4.6-2)
    Maintainer: James Troup
    Too young, only 1 of 5 days old
    Ignoring request to block package by freeze, due to unblock request by he
    Not considered
$

We don't expect maintainers to request unblocks for RC bugfixes (in fact, I
prefer they don't, it's just extra mail to reply to).

> I'm not sure about the policy for security updates in etch, but it doesn't
> seem proper to announce the availability in a DSA if it's not yet true...

Hopefully, the fact that the security team made this statement means they
were aware 1.4.6-2 was a candidate for inclusion in etch.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
Reply to: