Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities

[Florian Weimer <fw@deneb.enyo.de>]

* Michael Gilbert:

> The problem here appears to be the jump to the new upstream version
> (1.8.2 to 1.8.13), which has a different dependency set.

The actual problem was that the dependency set was initially different
(it included additional, incorrect dependencies).  This was corrected,
and upgrades and installation of the new version were tested again.
Due to the dpkg/apt-get split, I installed the dependencies manually
on a clean system, and erroneously included the wwwconfig-common
dependency, even though the updated package lacked that.  As a result,
I missed the dropped dependency.

> New upstreams are usually disallowed in security uploads.  The
> question is why was that OK in this case, rather than the standard
> backporting approach?

If upstream provides a stable branch which focuses on bug fixes, we
might also use that.  This is a per-package decisions.  Other packages
for which we generally follow this approach are BIND and PostgreSQL.
In some sense, this also applies to the linux-2.6 package.