Paul Irofti <p...@irofti.net> writes: > On 5/16/2017 8:35 PM, Daniel Jakots wrote: >> On Tue, 16 May 2017 19:32:39 +0300, Paul Irofti <p...@irofti.net> wrote: >> >>> Right, so how about this? >> >> I think it's better that way. Thanks for taking care of. ok danj@ > > What I am worried with this approach of cherry-picking specific CVE > patches is that we might skip other patches (included in the latest > release) that do not have associated CVE's or worse that the maintainer > did not spot.
Agreed. I tend to stick to version updates if possible because backporting can sometimes be fiddly. But there really seems to be a single security fix in this libetpan release, and a major bump is kind of a problem for -stable. On the other hand, libetpan has a single consumer - claws-mail - so that's not too much to rebuild. Avoiding the bump just seems more appealing to me, some users might not even be aware that they need to build new packages when a major bump lands in -stable. If you want to push libetpan-1.8 in -stable, maybe check twice that a major bump is actually needed? -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
