On Tue, Dec 31, 2024 at 11:52:04AM +0100, Thorsten Alteholz wrote: > Hi Otto, > > > On 31.12.24 10:59, Otto Kekäläinen wrote: > > > > > Loren's message was posted at 2am my time zone, and Santiago had > > > > > already done the upload by 5:30am my time zone. It is completely > > > > > unreasonable to expect responses in a matter of hours regardless of > > > > > the time zones. You agree this wasn't collaborative, right? > > so everybody needs to wait for your comment to make an upload? > > From my point of view everything was almost fine with the upload. > The only criticism I have is that there are still two open CVEs for this > package. Why haven't those been fixed in this upload as well? Especially for > Bookworm it makes no sense to have two separate pu-bugs.
As I am relatively new to the Go Team, I chose to keep it to a smaller, easier to review, change which resolved the CVE with the highest score. That was the only CVE that lead to a Debian bug of severity grave and threatened to remove it from testing in a few weeks from now. It has a CVE base score of 8.0. The others have a score of 6.5 or less and their corresponding Debian bugs are only of severity important. Now that my feet are wet, I do plan to dig into the other CVEs and find the appropriate minimally-viable patch to fix them, however, I probably won't have enough time until this next week-end. The patch for the CVE that is fixed was straight-forward and I was able to get it resolved and submitted in the time I had this last week-end. I will take that up unless someone else feels like they want to do it sooner than I am able to. Thanks, Loren > > Thorsten > -- Loren M. Lang lor...@north-winds.org http://www.north-winds.org/ Public Key: http://www.north-winds.org/lorenl_pubkey.asc Fingerprint: 7896 E099 9FC7 9F6C E0ED E103 222D F356 A57A 98FA
signature.asc
Description: PGP signature
