Dear LTS team, Mateusz: On Thu, Jun 16, 2016 at 09:12:47AM +0200, Adam Borowski wrote: > On Thu, Jun 16, 2016 at 06:53:49AM +0000, Gianfranco Costamagna wrote: > > Hi Adam, > > (answering in general, not in this particular situation) > > > > > > >I've reviewed the upload, but I'm not sure if you coordinated it > > >with the LTS team. I find a contradition: > > > https://lists.debian.org/debian-lts/2016/06/msg00031.html > > >says vlc is no longer supported in wheezy, yet in > > > https://lists.debian.org/debian-lts/2016/06/msg00035.html > > >the quoted mail sounds as if the upload is expected. > > > > > >Should I proceed? > > > > I guess not > > > > In general, for security pocket, you need to do: > > - check/test the patch > > - wait for an ack from security team > > - upload (binary-upload, not sure if source only is allowed, but I think > > not IIRC) on security-master > > e.g. > > The docs on the LTS wiki suggest it is, but I asked to confirm.
I think you also need to do the build with -sa, as you need to upload the full sources to security-master. > > BTW according to security tracker wheezy is EOL for that cve, no DSA is > > released, so I guess you won't > > have the ack > > https://security-tracker.debian.org/tracker/CVE-2016-5108 > > The discussion continued after the EOL was mentioned, and Mateusz was > obviously aware of it, thus I assume the RFS he filed was acked in parts of > the discussion that are missing from list archives. > > In any case, the patch is simple and works for me. > > > (well, since there is a patch and an upload ready they might give an > > exception, but I think > > asking before is the right way to deal with this bug) > > Right... which is exactly what I'm doing right now :) > Wheezy has been handed off from security to the LTS team. We haven't heard anything on this RFS for nearly 3 months. Can you see if there is anythin that you'd like. For example, I don't see a DLA enrty in dla-needed for VLC (nor I'd expect one considering VLC is not declared as support iirc). Anyway I suppose that a one-shot update can't really harm anybody. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature
