On Thu, Jun 16, 2016 at 06:53:49AM +0000, Gianfranco Costamagna wrote: > Hi Adam, > (answering in general, not in this particular situation) > > > >I've reviewed the upload, but I'm not sure if you coordinated it > >with the LTS team. I find a contradition: > > https://lists.debian.org/debian-lts/2016/06/msg00031.html > >says vlc is no longer supported in wheezy, yet in > > https://lists.debian.org/debian-lts/2016/06/msg00035.html > >the quoted mail sounds as if the upload is expected. > > > >Should I proceed? > > I guess not > > In general, for security pocket, you need to do: > - check/test the patch > - wait for an ack from security team > - upload (binary-upload, not sure if source only is allowed, but I think not > IIRC) on security-master > e.g.
The docs on the LTS wiki suggest it is, but I asked to confirm. > you can see the accept email here > https://packages.qa.debian.org/v/virtualbox/news/20160129T103406Z.html > > but I never and I think they really don't like it, pushed without having an > explicit ack > from security team (and it should even be mentioned in the security policy) It is mentioned, in the Developer Reference. I assume Mateusz discussed the upload -- it's only a copy of a patch already applied to jessie, and what I see in debian-lts archives includes a part of such a discussion. > BTW according to security tracker wheezy is EOL for that cve, no DSA is > released, so I guess you won't > have the ack > https://security-tracker.debian.org/tracker/CVE-2016-5108 The discussion continued after the EOL was mentioned, and Mateusz was obviously aware of it, thus I assume the RFS he filed was acked in parts of the discussion that are missing from list archives. In any case, the patch is simple and works for me. > (well, since there is a patch and an upload ready they might give an > exception, but I think > asking before is the right way to deal with this bug) Right... which is exactly what I'm doing right now :) Wheezy has been handed off from security to the LTS team. Meow! -- An imaginary friend squared is a real enemy.
