On Mon, Aug 15, 2016 at 06:42:31PM +0200, Markus Koschany wrote:
> On 15.08.2016 18:31, Emmanuel Bourg wrote:
> > On 08/15/2016 06:19 PM, Markus Koschany wrote:
> >
> >> This is the exact same change as currently in Stretch. This in an
> >> improvement and has no negative effect.
> >
> > This change has landed in Stretch 4 days ago only, we don't have enough
> > feedback on its impact. I suspect it may cause some problems in
> > environments where the Tomcat configuration is expected to be world
> > readable. I thought we agreed to keep that modification for Stretch only
> > when we discussed about #825786 [1]:
> >
> >>> Ok, the stable patch shouldn't change the permissions to 640 though.
> >>
> >> Fine with me.
> >
> > Emmanuel Bourg
> >
> > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825786#75
>
> First of all I thought we had agreed that I take care of this security
> update.
>
> I have prepared and tested this update and I came to the conclusion that
> there is no need to revert the change from Stretch for Jessie again.
But we don't generall mix bugfix and security updates. There are a few
exceptions - when when something was acked by stable release managers
and then a security update happened before the release of the point
update - but generally all non-security changes should to be acked by the
stable release managers.
Cheers,
Moritz
