On 2016-03-01, Mike Gabriel <sunwea...@debian.org> wrote: > @Security Team: Shall we (LTS contributors) handle wheezy-security > updates like described below until Debian wheezy LTS comes into play? > > o Pick a package that has open CVE issues in wheezy, e.g. from > above list > o Add the package to data/dsa-needed.txt, if not already there: > - packages with issues to be solved in wheezy only, should be > suffixed with "/oldstable" (i.e., gosa/oldstable) > - packages with issues in jessie and wheezy, should probably > just be added by the package name (without suffix), right? > > From then on, the workflow can be the same workflow as used for > normal security updates (as already described earlier in this > thread): > > o Fix the issue in the package (grab the current package from > oldstable's archive). > o Test your fixes. > o Provide a .debdiff to > t...@security.debian.org and to the > Debian bug, if any related bug exists. > > o Wait for feedback from the release team on how to proceed. > > o As a courtesy, you could check the same package in jessie and > see if the fix for oldstable is easily forward-portable. Thus, > maybe providing a jessie-security .debdiff for the package can > be an option. > > The removal of the entry placed into data/dsa-needed.txt should then > be handled by the Security Team, once the fixed package version has > been uploaded. More Feedback? Mike
Looking good to me; we can refine the process incrementally, if need be. Thanks a lot for the help, --Seb
