On 2024-04-19 at 15:55, Salvatore Bonaccorso wrote: > Hi, > > FWIW, I'm actually preparing a security update for the two CVEs and > for bookworm I was first planning to do a 590-2.1 reaching unstable, > and so then 590-2.1~deb12u1 for bookworm. > > But if you want to override it with a NMU and proposing to salvage the > package this is equally fine.
Your DELAYED/2 NMU is probably the fastest and best way to get these CVEs fixed in unstable and bookworm, so that's fine, thanks. Any plans for 551-2 in bullseye? The two patches in your NMU apply cleanly there. Then the salvage procedure can play out for the full 28+ days specified by developers-reference (21 days to allow the maintainer to object followed by a DELAYED/7 adoption upload). I've already soft-proposed to salvage in bug #1069280 yesterday. And as mentioned there I'm not yet a DD or DM, so I'd need to find a sponsor (and access to debian/less.git). If your NMU and my salvaging procedure go through, I'll rebase my work upon and acknowledge your NMU. And I'd like to backport a 643-1 to bookworm and bullseye sloppy (and update bullseye-backports with your NMU, unless you do that). You and I both apparently made the exact same changes to backport the CVE-2024-32487 patch (except your patch still has the original upstream diffstat instead of the backport, which is fine), so that's a good confirmation that my patch was (and yours is) correct. -- Patrick "P. J." McDermott: http://www.pehjota.net/ Lead Developer, ProteanOS: http://www.proteanos.com/ Founder and CEO, Libiquity: http://www.libiquity.com/
