Hi! On Wed, 2015-04-22 at 01:53:16 +0100, Ben Hutchings wrote: > I've prepared an update to dpkg in squeeze-lts to fix CVE-2015-0840. As > it's a native package, I'd like to check some points with you:
> - Would you rather I numbered it as 1.15.12 or 1.15.11+nmu1? I'm a bit uncomfortable both with doing volunteer work for the LTS release, and getting an NMU for dpkg. But given that you've done the heavy lifting of hunting the patches and backporting them, I'd be fine with just merging them and releasing a tarball or a source package (although I can as well build both i386 and amd64 binaries if needed). If you still want to prepare it yourself, then as Holger said, please use +deb6u1. > - Should I do anything with the tarball produced by 'make dist'? If going with the second option above, then <https://wiki.debian.org/Teams/Dpkg/GitUsage> has some instructions that apply to master, they do need some small tweaking for 1.15.x. Also AFAIR, due to a release accident the 1.15.x series where autoreconfed from a wheezy system, so doing so from squeeze should produce much noise (and it would be on the unsafe side). > - Are you happy to pull from my git branch, or should I send one or > multiple patches? Given that you've done the hunting and backporting I'd like your SOB lines on all patches, alongside [mail@domain:\n - Brief change description. ] markers for the patches that required changes so proper credit is given in the commit message. > git repository: > http://git.decadent.org.uk/gitweb?p=dpkg.git;a=summary > http://git.decadent.org.uk/git/dpkg.git I've only skimmed over these, but they look like the patches that should be picked up. I can review them out properly while merging. Thanks, Guillem -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150423051025.ga25...@gaara.hadrons.org
