[Pkg-netatalk-devel] CVE fixes for netatalk in oldstable

Jonas Smedegaard jonas at jones.dk
Wed Aug 30 09:31:09 BST 2023 

Hi Daniel,

[Markus and release team dropped as recipients]

Quoting Daniel Markstedt (2023-08-30 04:24:28)
> A few weeks ago I made a request for approval to make an oldstable-security (Bullseye) netatalk release with a large patchset for 9 CVE advisory fixes.
> As mentioned in the bug, the exact same patchset has been applied to oldoldstable-security (Buster) with help from the Security Team (Marcus cc'ed here for transparency).
> 
> The bug is here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325
> 
> Would it be possible to get feedback on the proposed release?

This followup question is sensible, but it is suboptimal to move the
conversation away from the bugreport.

I guess your intent is to include the Netatalk team in the conversation.
A better approach for that is to add the team email address with a
special the email header when posting to the bugreport, like this:

To: 1049325 at bugs.debian.org
X-Debbugs-Cc: pkg-netatalk-devel at alioth-lists.debian.net

It is generally considered not nice to single out individuals (but I
might be missing a fair reason to do it here specifically).

Please consider reposting the above question to the bugreport,
X-Debbugs-Cc the Netatalk team.


> I've only very recently joined as maintainer of the netatalk package so please bear with me if there is some obvious step that I'm overlooking.

Fine that you mention this concern.  For the record I don't think
there's anything wrong in your original bugreport, and I guess the
release team is simply busy.  One detail, though: Since the issue is
security-related, you might want to raise severity.  You can do that by
adding a pseudo-header as the very first line of email content, like
this:

Control: severity -1 important

More on severities here:
https://www.debian.org/Bugs/Developer#severities

Possibly a higher severity is reasonable.

If you only want to adjust severity or other metadata, without providing
additional content, you can use command-like tool "bts", part of Debian
package devscripts.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-netatalk-devel/attachments/20230830/9b8a84bc/attachment.sig>

More information about the pkg-netatalk-devel mailing list