On Tue, Apr 02, 2019 at 10:40:44PM -0400, Reinhard Tartler wrote: > Ah, that's great news. I didn't realize that Moritz backported the > security fixes to an earlier upstream version. I managed to locate the > git commits but wasn't comfortable with backporting them to version 0.5.2, > not all of them applied cleanly and I lacked the confidence to resolve > the conflicts. > > Thanks Moritz for taking care of this!
Yeah, I sent a mail to debian-multimedia@ldo about this, but seems to have fallen through the cracks: https://lists.debian.org/debian-multimedia/2019/03/msg00081.html BTW, I also prepared an MR on salsa for the remaining open security issues in src:audiofile, it would be great if anyone in the debian multimedia team could merge and upload: https://salsa.debian.org/multimedia-team/audiofile/merge_requests/1 > > As for gpac/0.7.1+dfsg1-1, I cannot find a debdiff for it on the mailing > > list nor the BTS. Therefore, I have no clue whether it is suitable for > > buster. > > The debdiff is unreasonably large (several MiB), there are a *lot* of > unrelated upstream changes included. > > I'll spare you to review it. > > Given we do have those RC bugs fixed with more targeted patches, I > no longer see the urgency to get 0.7.1 into unstable. Would you agree > with having 0.7.1 in experimental instead? If so, I'd upload it as > 0.7.1-2 to experimental. experimental should be fine, as it's totally to the freeze process. Cheers, Moritz
