Bug#907835: [Pkg-xen-devel] Bug#907835: newer version in stable
Antoine Beaupré writes ("Re: [Pkg-xen-devel] Bug#907835: newer version in
stable"):
> It's been two weeks and stable still has a newer version than unstable,
> which suffers from four security issues fixed in stable.
>
> I understand you might have other plans in the long term, but in the
> meantime, why not just upload deb9u10 to unstable?
I went to do this but sadly, it no longer builds due to gcc8. There
are upstream patches that could be cherry-picked but it's certainly no
longer simply a matter of importing the security update.
I am going to look at these failures since they are blocking my
package refactoring work and I expect that as an output I will produce
a list of upstream commits to cherry pick, which I will send to this
bug.
Ian.
--
Ian JacksonThese opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Bug#907835: [Pkg-xen-devel] Bug#907835: newer version in stable
On 2018-09-05 12:36:54, Ian Jackson wrote: > The 4.8-based security updates have not been going to sid/buster for > rather obscure reasons. We have packages for 4.11 in preparation, so > hopefully this will become irrelevant soon. It's been two weeks and stable still has a newer version than unstable, which suffers from four security issues fixed in stable. I understand you might have other plans in the long term, but in the meantime, why not just upload deb9u10 to unstable? a. -- Instead of worrying about what somebody else is going to do, which is not under your control, the important thing is, what are you going to decide about what is under your control? - Richard Stallman
Bug#907835: [Pkg-xen-devel] Bug#907835: newer version in stable
On 2018-09-05 12:36:54, Ian Jackson wrote: [...] > I agree that this is an RC bug. Fixing it by removing the packages > from buster wouldn't help, though. Agreed. Removal is obviously an unwanted side-effect... :) [...] > The 4.8-based security updates have not been going to sid/buster for > rather obscure reasons. We have packages for 4.11 in preparation, so > hopefully this will become irrelevant soon. Excellent, thanks for the prompt response. A. -- Non qui parum habet, sed qui plus cupit, pauper est. It is not the man who has too little, but the man who craves more, that is poor.- Lucius Annaeus Seneca (65 AD)
Bug#907835: [Pkg-xen-devel] Bug#907835: newer version in stable
Antoine Beaupre writes ("[Pkg-xen-devel] Bug#907835: newer version in stable"):
> Source: xen
> Version: 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9
> Severity: serious
>
> The version of the Xen packages in unstable and buster is lower than
> the one in Debian stretch. That seems highly irregular and will
> obviously break upgrades to buster.
>
> The reason this is marked as "serious" is because I consider this a
> "severe violation of Debian policy". This would be section 3 of the
> Debian policy, although it curiously does not explicitely state that
> versions between different suites should be incrementing.
I agree that this is an RC bug. Fixing it by removing the packages
from buster wouldn't help, though.
> I still consider this a release critical bug and that new upstream
> packages should first be uploaded to unstable, unless there is a
> security issue (which is the case here) in which case they should be
> simultaneously uploaded to both suites.
The 4.8-based security updates have not been going to sid/buster for
rather obscure reasons. We have packages for 4.11 in preparation, so
hopefully this will become irrelevant soon.
Ian.
--
Ian JacksonThese opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
