amd64-microcode, version number, no-dsa

2020-03-14 Thread Anton Gladky 
Dear LTS team,

I am still preparing an update for amd64-microcode for Jessie to fix
CVE-2017-5715. Security team marked this issue as no-dsa for Stretch
[1], it can be fixed through next point release.

For Jessie I am not able to use now the package version
3.20181128.1~deb8u1, because it is higher than the current Stretch
version 3.20160316.3, so upgrade would not be possible in the meantime.

Thus I'm asking for an advice:

  * May I set the version number for this update as
2.20160316.1+really3.20181128.1~deb8u1? After the next Stretch point
release I can reupload it with the version number 3.20181128.1~deb8u1.
Or there are better alternatives?

  * Package is non-free, should the amd64 and i386 binary packages both
be uploaded?

[1]
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c9dda4132363fd5b169a3aad5fec48a4e4d2f72

Thank you

Anton



signature.asc
Description: OpenPGP digital signature

Re: amd64-microcode, version number, no-dsa

2020-03-14 Thread Adrian Bunk 
On Sat, Mar 14, 2020 at 10:16:30PM +0100, Anton Gladky wrote:
>...
>   * Package is non-free, should the amd64 and i386 binary packages both
> be uploaded?
>...

No, the buildds can build packages in non-free.

https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#marking-non-free-packages-as-auto-buildable
https://sources.debian.org/src/amd64-microcode/3.20191218.1/debian/control/#L10
https://buildd.debian.org/status/logs.php?pkg=amd64-microcode&arch=i386

> Thank you
> 
> Anton

cu
Adrian