Hi, Thanks for your comment. (Charles is the upstream,)
On Sat, Nov 22, 2014 at 01:30:41PM -0600, Charles Cazabon wrote: > Osamu Aoki <os...@debian.org> wrote: > > > > In Debian, its security update policy prohibits any new feature added > > with security updates. > > It's kind of a bogus distinction. As Linus Torvalds says, there's no real > difference between "bugfix" and "security fix", and I would argue there's > almost as little difference between "bugfix" and "new feature". If you added an unrelated HTTP-server feature to getmail for the remote configuration, I call it a feature changes (, enhancement, bloat, or ...). > > There are needs for updating 4.32.0 and 4.20.0 for the MITM security > > issues. > > CVE-2014-7273 > > CVE-2014-7274 > > CVE-2014-7275 > > The changes in getmail to allow it to perform server SSL certificate > validation and various other advanced SSL options: would you call > those a new feature? Because it clearly is. It is a boarder line case. > But on the other hand, some people consider the previous behavior a > bug, so perhaps its a bugfix. But others say it closes a security > hole, so it's a security fix. I forward your insightful argument to the Debian security team. > I see no way to make a clear-cut distinction between any of those three > possibilities. I concur. > > I for one as being its maintainer in Debian see it theoretically > > possible but am scared to make mistakes when dropping non-security fix > > changes. > > I don't think you need to drop *anything*. getmail hasn't had much in > the way of new features in many years, and I try to maintain > compatibility as much as is practical. Just update to the latest > version. Thank you. Osamu -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
