Control: tags -1 confirmed moreinfo James Cowgill: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Hi, > > I am wondering whether it's possible to include mbedtls 2.4.2 in > stretch. While it does fix an RC security bug (#857560), it also > contains a lot of other stuff - all of it bugfixes though. > > The diff is attached, but it's pretty bug. There have been a number of > changes which should have no effect at runtime (lots of documentation / > comments updates, testsuite updates). Half of the diff is changes to the > visual studio project files which is obviously irrelevant for Debian. > > If this isn't approved, would cherry picking the 4 security bug fixes > and their testcases be OK for stretch? > > [...] > > Thanks, > James > > [...]
Hi, I have reviewed it and I agree that upstream release looks preferable with one remark: * The test suite appears to be "time-bombed" via "tests/data_files/test-ca2_cat-future-invalid.crt". * Ideally, the buildability should not expire. * Furthermore, its "expire" date is "Sep 22 15:49:49 2023" which is uncomfortably close stretch's expected EOL on the LTS release (Said EOL is currently estimated to some time in 2022 and counting). Please resolve that, upload and remove the moreinfo tag once the upload has been processed and built on all relevant release architectures. Thanks, ~Niels
