Control: severity -1 important Nope, the plan to follow upstream releases was acked by both the security and release teams, so I am not doing anything really surprising here. BIND 9 packages are following the patch releases for each minor release (in the traditional major.minor.patch version triplet).
So, let’s focus on what could be improved here. I don’t think anything like this will happen ever again in 9.16, but I’ll try to be more vigilant about possibly breaking changes next time. Also Steinar, while I understand this has caused you some distress, this is not really a grave bug. It does not make: the package in question unusable or mostly so, or causes data loss, or introduces a security hole allowing access to the accounts of users who use the package. As I said in the other email, I’ll take a look if I can soften the requirement for the configuration in the Debian package tomorrow. Perhaps just downgrade it to a prominent warning instead of hard error. Ondřej -- Ondřej Surý <ond...@sury.org> (He/Him) > On 22. 9. 2022, at 23:16, Steinar H. Gunderson <se...@debian.org> wrote: > > On Thu, Sep 22, 2022 at 08:13:53PM +0200, Ondřej Surý wrote: >> I am sorry this has caused inconvenience for you, but the original problem >> here was that the implicit inline-signing with the dnssec-policy was also >> problematic and causing other problems, see the upstream issue: >> https://gitlab.isc.org/isc-projects/bind9/-/issues/3381 >> >> Especially this: >> https://gitlab.isc.org/isc-projects/bind9/-/issues/3381#note_308893 > > Sure, but that's not appropriate to change in a stable-security update. > You can ask the SRMs whether it is applicable for a stable update > (I would say no; the point of stable is that you know what issues > you have and don't get new ones), but you cannot just put it into > a security update unless they are positively required for the security > issues in question. > > /* Steinar */ > -- > Homepage: https://www.sesse.net/
