Hi Markus, Yes Nils was doing a nmu for me. Unless they are very keen I'll handle the backports. As you said the confusion is on the sponsorship. We were using a Mentors as a way of getting the package from him to me in the standard way.
- Craig On Tue, 24 Dec. 2019, 4:27 am Markus Koschany, <a...@debian.org> wrote: > Hello Niels, > > Am 23.12.19 um 15:04 schrieb DebBug: > > > Anyone to chime in? Craig? Markus? > > There is a bit of confusion here, so I try to explain the situation and > how we should proceed. Thank you for filing bug report #947212 to track > the security issues in Wordpress. This will help to answer those > questions raised by Adam. However there was already #946905 that you > could have been used as well. > > You have only recently added me to CC, presumably because I have done > some security uploads in the past for Wordpress. I don't know what you > have discussed with Craig and if he wants to review your work and > sponsor it later. Then you actually don't need to open a sponsorship > request on debian-mentors. > > Sponsorship requests are either of severity normal or important. Here it > would be ok to use important but the severity is merely an indicator and > it doesn't automatically guarantee that a bug is prioritized. Security > related bugs like #947212/#946905 are either of severity important or > grave. > > Version 5.3.2 seems to fix a couple of security vulnerabilities. No CVE > has been assigned yet. This version should be uploaded to unstable. > > If you want to fix Wordpress in Buster and Stretch as well, then you > have to go a different route. The security team is responsible for that. > As previously discussed I recommend to base security updates on upstream > releases for specific Wordpress branches. > > https://wordpress.org/download/releases/ > > Buster should be updated to version 5.0.8 and Stretch to 4.7.16. In both > cases you would base your work on the Wordpress packages in Buster and > Stretch. The changes to the debian files should be minimal, you would > merely rebase existing patches and repack the tarball to make it > compliant with the DFSG. > > In short: > > Version 5.3.2 -> unstable > Did Craig agree with the upload? > If there is simply no response because of the holiday season we could do > a NMU with a delay of 5 to 10 days. I assume you haven't made any major > changes to the package. > > After that: > Version 5.0.8 -> buster-security > Version 4.7.16 -> stretch-security > > You can already prepare the packages, then we contact the security team > and ask for approval. > > Regards, > > Markus > >
