Hi Manoj, * Manoj Srivastava <[EMAIL PROTECTED]> [2008-10-04 16:39]: > On Sat, Oct 04 2008, Nico Golde wrote: [...] > > This is an automatically generated mail, in case you are already > > working on an upgrade this is of course pointless. > > Umm. The fixed package is already in testing and unstable, so > with the new release, stable should be covered.
Sure but that's still some time in between. > 1) The package in testing has had many, many unrelated changes, > including a new set of upstream releases, so would not meet the > stable release criteria. Yes, that's correct. > 2) The package has a low popularity contest ranking. > 3) Uploading packages to proposed-updates for security is deprecated, > if it were important enough, there would have been the normal > security update which would have taken the fixes back to stable. The reason you got this mail is because it is not important enough, this has been tagged as no-dsa in the security tracker. > 4) The fix will have to be back ported, since we cant just take the > testing version of the package back. > > On the other hand, back-porting the fix will probably be pretty > easy, though still a chore. Since this is an automatically generated > request, I'd like the input of a human before I undertake the task -- > is this report, which was not deemed important enough to be called a > security risk, Worth the effort? Will we release Lenny before the next > point release? In my opinion yes. It's not that this is no security risk at all, of course it is a security risk, it is tracked as low in our security tracker. But the security team would be just overloaded if we would release a DSA for every single tmp race issue that was reported recently. I think back-porting the fix is not that much work and the users of dist will be thankful for that (even if there are only ~100). Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpenBjSUJUqZ.pgp
Description: PGP signature
