Hi Markus, On Wed, Jul 1, 2020 at 10:00 PM Markus Koschany <a...@debian.org> wrote: > > 1. imagemagick/oldstable > > Please shout back if I should not. > Thanks for being proactive. Actually I am working on Jessie and Stretch.
Great! Since ImageMagick warrants a DSA for Stretch, I am going to drop it from dla-needed. And simultaneously add it to ela-needed (for Jessie) and assign it to you (as you're working on it). > Imagemagick in oldstable has never received any attention from the > maintainers, thus I wonder why this is the case now when the switch to > LTS is imminent. There are 60 open or ignored CVE in Stretch. Do the > maintainers of imagemagick intend to fix them all? It seems that it has been over a year since any of the maintainers did an upload. So I don't know. Perhaps I'll leave it for the Security team to answer that. > > 2. squid3/oldstable > > Please really should back if I should not. > The update is ready. There is a new CVE, CVE-2020-15049, but it can be > postponed for now. That should not stall the release. I wanted to send > an request for testing to debian-lts due to the many changes in the code > base. The same version can be used for Jessie and Stretch. I would keep > squid3 in dla-needed.txt since the update is relevant for Stretch. But it would make no sense to keep it in dla-needed.txt (which is for Stretch now!) since squid3 is already in dsa-needed. It'd just make things weird since keeping in dla-needed means you want to issue a DLA for Stretch and having it in dsa-needed means there'll be a DSA for the same thing. So I propose it to drop it dla-needed instead!? Let me know what you think. Best, Utkarsh
