Hi Jörg, On Thu, May 25, 2017 at 1:23 PM, Jörg Frings-Fürst <deb...@jff-webhosting.net> wrote: > Hello Vincent, > > I have a bugfix release ready for a review. > > My changes: > > libonig (5.9.1-1+deb7u1) wheezy-security; urgency=high > > * New debian/patches/0500-CVE-2017-922[4-9].patch: > - Cherrypicked from upstream to correct: > + CVE-2017-9224 (Closes: #863312) > + CVE-2017-9226 (Closes: #863314) > + CVE-2017-9227 (Closes: #863315) > + CVE-2017-9228 (Closes: #863316) > + CVE-2017-9229 (Closes: #863318) > * debian/control: > - Add myself as maintainer. > > Build with pdebuild are ok. The test with the newest lintian has a lot > of warnings. > > The package is uploaded to mentors[1]. The debdiff is attached. > > Please can you review it?
In your upload to mentors.d.n, why has the source tarball been changed and versioned as if libonig was a native package (it's not)? Also, if I'm not mistaken, it doesn't look like your CVE patch is actually applied when I attempt to build your package. Have you updated dla-needed.txt, obtained a DLA id and prepared an announcement for debian-lts-announce, as described in [1]? Regards, Vincent [1] https://wiki.debian.org/LTS/Development
