Am Do, 23.09.2010, 21:39, schrieb Adam D. Barratt: > On Thu, 2010-09-23 at 20:37 +0200, Thomas Mueller wrote: >> I'd like to ask you for a freeze exception of quassel 0.7.1. >> The current version of quassel in testing is 0.6.1-2. >> This version has a security hole as documented in [1] and in this bug >> report >> as well [2]. >> >> To fix this issue I could upload 0.6.3, > > Or 0.6.1-3 containing just the security fix. (Jumping to 0.6.3 assumes > that all of the changes in 0.6.2 are okay; I haven't checked each of > them, but there appear to be a couple of dozen of them). >
preparing a 0.6.1-3 seems odd to me, because is contains already 12 known bugs, which have been fixed in 0.6.2. Are we interested in deliver buggy software to our users? i'm not! >> but this is already a some kind of >> outdated branch within quassel develoment as 0.7 has been released >> recently. > > The diff between the 0.6.1 and 0.7.1 packages (ignoring .po changes) is > > 167 files changed, 5192 insertions(+), 888 deletions(-) > > whereas the 0.6.2 to 0.6.3 diff (i.e. what's labelled as the security > fix) is nearer 60-70 lines. > > 0.7.0 appears to have been tagged upstream a little over a week ago; > that's a bit soon to be declaring 0.6 "outdated", isn't it? > well, a user interesting in quassel will most likely look of a 0.7.x version. in every other distro 0.7.x will be/has been delivered. that's why i call it outdated. >> 0.7.1 fixes a security hole within 0.7.0 >> >> Package for 0.7.1 has been uploaded unstable on September 21st. > > It would have been appreciated if you'd sent this mail _before_ doing > that (or uploaded to experimental in the meantime). > Next time I'll contact the release team in advance. Upload to experimental feels odd for me - upstream has officially released 0.7 - this is not experimental - right? > Regards, > > Adam > > Finally: what are we going to do? Will anybody get hurt, if we "unfreeze" quassel 0.7.1-1? In case squeeze will deliver a 0.6, I'll deliver 0.7 to backports asap. The official 0.6 will most likely be unused - no need to deliver it then within squeeze. I'll most likely request a removal from squeeze. Regards, Thomas -- Thomas Müller E-Mail: thomas.muel...@tmit.eu -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/becb429deb8a915498826148d82a0a71.squir...@webmail.tmit.eu