On Sun, Jun 23, 2019 at 12:09:13PM +0200, Paul Gevers wrote:
> Technically, you're already too late, the package will only be 2 of 5
> days old on Tuesday 13:00 UTC. But I have much worse concerns, see below.
> 

It's all up to the release team's decision, right?

We already miss docker from last release, and it won't be worse if it
is missed from this release as well.

But FRT, this time there are maintainers who care it and want to volunteer
their time.

> > +  * Non-maintainer upload.
> 
> This I worries me. "Apparently" Arnaud didn't consider it appropriate to

There's nothing wrong in the procedure. Fixing RC bug and no maintainer
activity on the bug for 7 days, it's 0 day.

I have CCed the maintainers, and "apparently" there's no disagreement
afterwards.

> upload the patch and I don't see an ACK from any of the maintainers. In
> my opinion, trying to save docker.io for buster isn't appropriate via a
> non-ACKed change so terribly late. Do the maintainers agree with this
> approach?
> 
> > +  [ Arnaud Rebillout ]
> > +  * Add patch for CVE-2018-15664 (Closes: #929662).
> 
> On top of that, I worry quite a bit that by disabling that test in the
> upstream patch, you are hiding a real problem. If it is possible from
> within the docker container to crash the host, that's a severe issue.
> Can you take away my worries?
> 

All code could have bug, it includes the test code. If you find a
serious bug for this version, please file a bug, then it could prevent
docker.io to migrate.

But FTR again, I didn't blindly upload the patch. I do test, like running
the result binary, and the affected command. And more importantly, the
newly added code, didn't break any existing test cases.

-- 
Shengjing Zhu

Attachment: signature.asc
Description: PGP signature

Reply via email to