Quoting Holger Levsen <holger@layer-acht.org>:
On Wed, Nov 09, 2016 at 05:35:20PM +0100, W. Martin Borgert wrote:Quoting Holger Levsen <holger@layer-acht.org>: >I think so. And I also think this should be done. >and, who's gonna file the RM bug for unstable? I would RM for buster, because users of stretch might already be affected.thats not how it works. You file an RM bug for a package in unstable against ftp.d.o now, and then this RM will propagate to stretch. A RM for stable needs to be requested via about against release.do.
If users of testing or unstable have the malware installed now and the package gets removed from the archive, users are left with the malware, right? That's why I thought about uploading an empty package to unstable, it should be released with stretch, but can be safely removed later. (Same for stable, only that for testing it is even more urgent, because I believe that the malware function has been introduced after releasing jessie.)