On 14.04.25 11:15, Jonas Smedegaard wrote:
what the security team requested by filing this bugreport is that we*first* demonstrate capability in handling CVEs, and only*then* re-add the package to stable Debian.
Counterpoint: We cannot reasonably demonstrate our capability to handle CVEs for stable (or Testing) when the package is not in Stable (or Testing) in the first place.
All we can do is offer our commitment to do so.Besides, Asterisk had a whooping three advisories last year which is significantly less than 12 (and significantly less than when the bug was created). That alone should simplify the job by a whole lot, as do the recent packaging improvements.
Asterisk is by now far from the worst offender in this space.
Also, freeze is tomorrow, and it takes at a minimum 3 days for a package to enter testing, so even if we somehow demonstrated capability today, we would still be too late to include it.
We could always ask for an exception. -- -- regards -- -- Matthias Urlichs
BEGIN:VCARD VERSION:4.0 N:Urlichs;Matthias;;; NICKNAME:Smurf EMAIL;PREF=1:[email protected] TEL;TYPE=work;VALUE=TEXT:+49 911 59818 0 URL;TYPE=home:https://matthias.urlichs.de END:VCARD
OpenPGP_signature.asc
Description: OpenPGP digital signature
