On Fri, 2018-06-08 at 20:12 +0200, Sylvain wrote: > Hi, > > On 08/06/2018 19:55, Adam D. Barratt wrote: > > Control: tags -1 + confirmed > > > > On Wed, 2018-06-06 at 19:54 +0200, b...@debian.org wrote: > > > Please consider this update to freedink-dfarc for stretch. > > > It fixes a security issue that can overwrite arbitrary user > > > files. > > > Sending to stable following security team's directions from 2018- > > > 06- > > > 01. > > > > +freedink-dfarc (3.12-1+deb9u1) stable; urgency=high > > > > Please use "stretch" as the distribution. > > > > + * Fix directory traversal in D-Mod extractor (CVE-2018-0496) > > + * Upload to 'stable' as security team rejected a DSA to > > + 'stretch-security' (no justification) > > > > The changelog is not the place for such commentary - please remove > > it. > > > > With the above changes made, and assuming that the resulting > > package > > has been tested on stretch, please feel free to upload. > > As per Social Contract #3 I do have to explain to my users why they > get the security fix after the disclosure. >
As with basically all core teams, Debian's security team is generally stretched in terms of manpower and can't handle every possible update that's security-related. Things have to be prioritised and sometimes those updates end up being provided via proposed-updates. That's always going to be the case in a volunteer project, and even larger and/or commercially-backed projects will still have to decide which updates they handle before others. This isn't a problem as such, just the way things are. (There's an argument that co-ordinated disclosure is in fact hiding issues in and of itself. I don't particularly subscribe to that, nor do I believe that any of this is what SC3 is actually trying to ensure.) > This is not a commentary, this is purely factual. It's not a description of a change made to the package, nor information that users need in order to decide whether they should be installing it. As such, it is commentary. That has nothing to do with its factuality or otherwise. Regards, Adam