On 5/30/19 5:23 AM, Paul Gevers wrote:
Hi Mike, zigo,
Thanks for your replies,
I very much think it's safer to just allow SQLAchemy to migrate right
now, to fix the potential SQL insertion vulnerability, rather than
waiting for any (potential, but likely rare) issue in the above reverse
dependencies.
I do think a gentle ping to the maintainers of the above packages would
be nice, but probably mass-filling of bugs isn't needed. How can I
easily gather the list of maintainer? Is there a script somewhere to do
this, or should I write it myself (which shouldn't be hard with some
apt-cache show in a loop...)?
Piotr, Mike, is what I wrote above accurate?
I can confirm Openstack is likely OK, most packages are likely OK, and
if a package is not OK, it's a trivial fix for them.
But as long as they are not fixed, how severe do you expect those issues
to be? I suggest to proceed with contacting them, just so maintainers
can check their package if they care.
severe because they will have queries that won't run.
@zigo, if you have the package name, you can contact the maintainers by
sending to <package-name>@packages.debian.org. I'm not 100% sure if this
only works for source package names.
Paul
