On Thu, Nov 14, 2019 at 05:19:03PM +0000, Holger Levsen wrote:
> On Wed, Nov 13, 2019 at 08:24:55AM -0500, Roberto C. Sánchez wrote:
> > > We usually mark affected CVE as <end-of-life> in data/CVE/list and just
> > > add the package to security-support-ended.deb8 in
> > > debian-security-support. We then upload new versions of the package
> > > periodically and announce it via DLA. I believe now is a good time to do 
> > > it.
> > Thanks for the information.  I will start working on it today.
>  
> As any DD can commit to debian-security-support.git and also can upload
> that package, just make sure to call it a team upload in d/changelog to
> appease lintian and possibly other tools.
> 
I had not yet seen this message so I already submitted a MR.  Should I
close that and make a direct commit?

> And then it would be ideal to upload the package to unstable and then
> file a SRM bug to update the package in stretch, in addition to
> uploading to jessie. (Probably this should also result in a DLA, not
> 100% sure though. Thoughts & comments definitly welcome.)
> 

Looking at the previous updates, a DLA seems appropriate.  I am in the
process of drafting the text.

> I believe it's fine if the version contraints (package version in
> unstable higher than testing higher than stable higher than oldstable)
> are temporarily not met, but I also believe it's important that they are
> in the long run & most of the time.
> 
> If doing all this work is too much or tedious to you, please shout and I
> will be happy to finish this. Please just do at least the initial
> change in git to security-support-ended.deb8.
> 
If I close the MR and commit directly, is it then a simple matter of
build and upload to unstable?  That is, no other special steps are
required?

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply via email to