Hi, On Fri, 2021-01-01 at 14:21 +0100, Salvatore Bonaccorso wrote: > Uplaoding 1.2.1+dfsg-1 + CVE fix cannot work. We have already > released 1.2.1+dfsg-2+deb10u1 in the security archives, so any > version we pick to fix issues need to be highter, no matter if we do > several rollbacks or only the #975372 fix. > > So we need in any case 1.2.1+dfsg-2+deb10u2 (no matter if "complete" > rollback, or just the bugfix). > > Given the move of the logdir and systemd unit has now been done with > the DSA, I think my preference would be to only just address the > "fallout" from the logdir move and so adress #975372. > > Adam D. Barratt is Cc'ed in this message, who is a stable release > managers in case he would like to indicate a preference. > > Adam would that be fine with you with your SRM hat on, to let all the > -2 changes pass to stable (agreeing that that would usually not be > stable material under normal cicumstances) and so just address the > introduced #975372?
As you say, such changes would not normally be considered as part of a stable update. However, given that they've already been published via the security archive and as such been on user systems for a month or so by this stage, I think attempting to walk back the additional changes now is likely to cause us more pain than just going with them, and hoping that #975372 is the only issue caused as a result. Regards, Adam
