[Cc += team@security] On Wed, 2012-05-02 at 11:26 +0200, Michael Meskes wrote: > > I noticed that you've uploaded an "acpid" package to proposed-updates. > > Was this discussed with anyone on the release team beforehand? > > Yeah with Zobel. Come to think of it, he's no longer a stable release > manager, > is he?
Not for a few years now, no. :-) > Sorry for the fuzz guys. Feel free to reject the upload. My bad, I > hurried the upload after seeing the announcement of the next point release. No worries. I had a suspicion that might have been the case... fwiw there's a pointer to the relevant dev-ref section in the bug log. "reportbug release.debian.org" works quite well too :-) [...] > The security team did a release fixing two bugs. One was in an example > script, > the other one unfortunately wasn't done right. So right now we have an acpid > package that doesn't work correctly. > > After the bug report showed the problem I asked them to release a new version > but they refused and pointed me to the next point release, which is why I > uploaded that package yesterday. On the whole, regressions introduced via the security archive are generally fixed via the security archive. Looking at the DSA in which the code in question is released, I guess it's part of the fix for CVE-2011-1159? If so then indeed local DOSes tend to be treated as issues which the security team don't address via DSAs, at least not unless they're bundled with other fixes. team@security, could you confirm the above is correct and also that there aren't any plans for a fix for the issue via the security archive in the near future? Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1335995963.24513.29.ca...@jacala.jungle.funky-badger.org
