[Pkg-netatalk-devel] More patches to flag as submitted upstream

[Jonas Smedegaard]

Quoting Daniel Markstedt (2023-05-02 20:35:33)
> > Unfortunately the package will *not* make it for the upcoming release of
> > Debian: The lack of attention to package in the fall (my maintaining it
> > alone, with too much on my plate) made the security team discourage its
> > inclusion, and by now it is too late to release to get it reintroduced.
> 
> That's a bummer! But I'm not easily discouraged so don't worry, haha.

Excellent.

> We didn't have the fixes for the last few CVEs back in last fall anyways,
> so it might not have made a difference.
> 
> Is there an appeals process or some other way to get a package
> reevaluated for inclusion in a stable release during its lifetime?

The judgement is not so much the specific CVEs as it is a network-facing
service with a history of ongoing CVEs being maiantained effectively by
only one person.

In principle it is possible to appeal, but personally I have a severe
discomfort with "begging for mercy" towards the Debian release team
(despite being good friends with people from that team). So if others
(perhaps you, perhaps others more familar with Debian reading this?)
wants to give it a try, then please do - but speaking for myself, I
would rather let the whole World be without a stable netatalk for 3
years than request its reinclusion.


> And as long as the package lives on in Sid, it can be considered for any
> future stable release, I assume?

That's correct.

> But anyways, having a deb for folks to pull from an unofficial repo is still
> a big step up from asking users to build it from scratch.

Certainly.

> No rush with netatalk2. We have some additional fixes lined up.
> I might cut another release in a few weeks.

:-)


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private