[Reduced the CC list] Hello Roger,
Am 20.09.18 um 02:53 schrieb Roger Shimizu: > And I'm not the maintainer of src:gnupg2. I just want to help > Bug#906545, and upstream maintainer says patching stable version may > be hard and backport may be easier. > > backports should be no harm since it uses ~bpo in version. > So it's still feasible if pkg maintainer and release team decide to > include a new major version into point release. yes and no. Technically it's no problem to provide gnupg2 through backports, the downside is that users need to act here proactively and install this package with some extra knowledge. It's not that I'm against this, providing a package by backports is in my eyes even better than providing nothing and pushing people to use usptream releases directly (like enigmail e.g. for now). ... > Did you report this situation to release team? > I think if it's necessary and release team agree, gnupg2 maintainer > can certainly help. No, I haven't talked to the release team, I'm mostly in contact with the security team by my involvement due the thunderbird package. And we did have some conversation together with dkg as one of the maintainers of enigmail and gnupg2. dkg has summarized the current problem with enigmail and gnupg2 in #909000. I'm the wrong person to make a judgment for doing a backport of gnupg2, if ever one can something to this than this is Daniel or Eric. So in my eyes it's better to ask the original package maintainer, maybe Daniel is fine with an upload of gnupg2 to backports? And if yes it's probably also o.k. then to upload a recent enigmail version to backports afterwards. In the future it's later always possible to provide a newer version through stable-security. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909000#15 -- Regards Carsten Schoenert