Hi Chris, On 26-07-2019 04:03, Chris Lamb wrote: > Hi Paul, > >> it will take time before it does, as python-django can not migrate >> before reverse dependencies are fixed or removed. The latter isn't very >> nice for your reverse dependencies if you didn't give them proper >> heads-up. The former isn't nice for the python-django users of testing. > > Mmm and I see that now. As in, please be assured that I didn't > override those feelings out of a lack of care or concern for the > reverse dependencies and their maintainers; it merely didn't really > occur to me, perhaps in a frenzy of post-Buster release motivation.
I try to always assume good faith :), so it's close to what I suspected to be the case. > What do you suggest going forward regarding this CVE, at least? Either you want to have the CVE fix migrate to testing soon, than the best way forward is to upload a 2:2.2.3+really1:1.11.22-1 package, wait until that migrates and than upload the current package as 2:2.2.3+reallynow-1 (or something like that). Or you trust that it can wait until the time we allow for this transition (it sort of is one) to have run out, we remove the un-migrated packages from testing and your new package will migrate. I prefer the former approach, but I can live with the latter, as Moritz said fixing the CVE in testing could wait a bit. But for the latter approach it's crucial to inform your reverse (test) dependencies and set them a deadline. Either case, please file bugs at severity level serious, which also means that the autoremoval counter starts ticking for those packages, but still let them know of the deadline (something like 4 or 6 weeks, what is reasonable?). Autoremovals are reset by people pinging the bug, we don't want to let this happen indefinitely. Paul
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team