Sorry. I didn't understood your answer (my english is not my mother language).
You are speaking about "unstable". I am speaking about pushing a CVE fix into stable 3.5.5. This fix is part of a patch that include other fix and this patch is called 3.5.7. My question is can I push fix1 + fix2 + fix3 with "1 push, called 3.5.7" even if only fix1 was declared on debian. My understood is that unstable has a different cycle than stable and is dedicated for next debian stable. So version that will be pushed into "unstable" will be 3.8 (a major release that will include upstream with fix found into maintenance official project release of 3.5.* branch, 3.6.* branch, 3.7.* branch + new features, so including the CVE included in 3.5.7 and not yet pushed to debian becuse debian is 3.5.5) Do you mean * i need first to update upstream of "unstable" with 3.8 (so it will include the CVE fix) to be ok to fix stable with the maintenances fixes of 3.5.7 or * i can't push 3.5.7 into stable even if it contains only CVE or stability fix compared to 3.5.5, and I must prepare a 3.5.5bis that will include only the CVE reported to debian and not other discovered and fixed into 3.5.7 official projet ? 2015-09-03 18:43 GMT+02:00 Adam D. Barratt <a...@adam-barratt.org.uk>: > Control: tags -1 + moreinfo > > On 2015-09-03 15:44, Laurent Destailleur (eldy) wrote: > >> A security error CVE-2015-3935 was reported for Dolibarr ERP CRM >> package. This bug is fixed into official package 3.5.7 of Dolibarr. >> Package 3.5.7 is a maintenance release compared to 3.5.5 and contains >> only fixes. But not only bugs reported to debian, it includes also >> other fixes (but they are all related to stability or security). >> I think it is a better solution to validate this maintenance release >> based on the new upstream version of Dolibarr than applying a patch of >> the only CVE-2015-3935. >> > [...] > >> So I just need to know if it's ok to push such a version 3.5.7 (fixes >> for 3.5.* branch) instead of only one fix for only the few (the only) >> reported debian bugs, >> since it provides more stability and is or me a more secured process. >> > > Certainly not whilst neither the CVE fix nor 3.5.7 are in unstable (which > still has 3.5.5 without the fix, afaict). > > Regards, > > Adam > -- EMail: e...@destailleur.fr Web: http://www.destailleur.fr ------------------------------------------------------------------------------------ Google+: https://plus.google.com/+LaurentDestailleur/ Facebook: https://www.facebook.com/Destailleur.Laurent Twitter: http://www.twitter.com/eldy10 ------------------------------------------------------------------------------------ * Dolibarr (Project leader): http://www.dolibarr.org (make a donation for Dolibarr project via Paypal: cont...@destailleur.fr) * AWStats (Author) : http://awstats.sourceforge.net (make a donation for AWStats project via Paypal: cont...@destailleur.fr) * AWBot (Author) : http://awbot.sourceforge.net * CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
