Would love to see that entry, but: * I have no idea what vulnerabilities affecting Gitea are in earlier golang versions, and Giteas release notes don’t say * what do I put in the below version field? Its the golang versions that affects the situation, not the Gitea version, as far as I know.
Stefan -- Stefan Bethke <s...@lassitu.de> Fon +49 175 3288861 > On Sonntag, Feb. 09, 2025 at 1:12 PM, Piotr Smyrak <ps.po...@smyrak.com > (mailto:ps.po...@smyrak.com)> wrote: > On Sun, 9 Feb 2025 09:47:52 +0100 > Moin Rahman <b...@freebsd.org> wrote: > > > > On Feb 9, 2025, at 09:43, Stefan Bethke <s...@lassitu.de> wrote: > > > > > > Gitea has released their version 1.23.3, which includes this in the > > > release notes > > > (https://github.com/go-gitea/gitea/releases/tag/v1.23.3) > > > > > > * Build Gitea with Golang v1.23.6 to fix security bugs > > > > > > As far as I can tell, the newest Golang package is: > > > go123-1.23.3 Go programming language > > > and the port has 1.23.5. > > > > > > As a port maintainer, how should I go about updating Gitea? Simply > > > bumping the version likely will not incorporate the fixes that have > > > been included in Go 1.23.6? Should I monitor the go123 port and > > > send in the update patch for Gitea once the Go port has been > > > updated? Or send the patch now, and bump port revision once go is > > > at (at least) 1.23.6? > > > > > > > As a non-committer you will eventually submit a PR or Review. So > > notify in the PR/Review that the gitea update should take place after > > Go has been updated to 1.23.6. > > Well, an entry in security/vuxml database is needed. To let people > running the software they shall take their decission whether to stop > running it publicly, to extra protect it, etc. > > -- > Piotr Smyrak
signature.asc
Description: PGP signature
