On 15/12/2020 02:16, Roberto C. Sánchez wrote:
I am curious if there is a policy or best practice for how to handle a
package update containing both a regression fix and also a fix for a new
vulnerability.
If such a thing is not advisable or permissible, then is it best to
handle the regression as one update and then follow-up with the new
vulnerability fix as a subsequent update?
Just one update, and one announcement as a new DLA (-1) mentioning the
regression fix. See e.g.
https://lists.debian.org/debian-security-announce/2020/msg00139.html
https://lists.debian.org/debian-lts-announce/2019/02/msg00032.html
https://lists.debian.org/debian-lts-announce/2020/06/msg00012.html
Cheers,
Emilio
