Hello Sven,
I prepared fixed versions of tomb for unstable [1], 2.7+dfsg2-2, and
> buster-backports [2], 2.7+dfsg2-2~bpo10+1. Please review these. I added
> myself as uploader, so feel free to provide upload permissions to me.
>
Nice, upload sponsored and I just sent the dcut command to give you upload
permissions.
If you haven't yet asked to be added to the backports ACL, you can do so by
following this link's instructions:
https://backports.debian.org/Contribute/
In the meantime, I'm happy to sponsor the backports upload as well, ping me
when the package has reached testing.
> Regarding buster I assume I should provide a 2.5+dfsg1-3 on a
> debian/buster branch in the repository. I would only add the security
> fix, nothing else. Is this the way to go?
>
That's correct, you should branch from the last buster upload. Please note
that you must follow a different process for stable uploads, assuming this
will be a buster-updates upload (and not buster-security, which is fine by
me), these are the instructions:
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#special-case-uploads-to-the-stable-and-oldstable-distributions
Basically, you create a bug against release.debian.org and wait for the ACK
for the upload (freel free to CC me). I suggest taking a look at the
current open bugs to look for examples.
Thanks for your work :)
--
Samuel Henrique