[Pkg-netatalk-devel] More patches to flag as submitted upstream
Daniel Markstedt
markstedt at gmail.com
Thu May 4 21:07:03 BST 2023
> We should simple be generally attentive to the package, at all times.
>
> Concretely, it would be great if you could look into cherry-picking the
> fixes for severe bugs (notably the CVEs) as patches for stable and
> oldstable.
You mean cherry picking patches downstream into the Debian repo directly,
not waiting for a new Netatalk release to be tagged? I can sure do that.
And, since Ralph gave me full access to the upstream repo I can just as well
tag new Netatalk patch releases at any time. :)
BTW, how do one go about closing out bugs in the Debian BTS?
#740352 was resolved with https://github.com/Netatalk/netatalk/pull/219
Thanks again for getting 3.1.15 into the system!
Cheers,
Daniel
On Wed, May 3, 2023 at 10:06 PM Jonas Smedegaard <jonas at jones.dk> wrote:
>
> Quoting Daniel Markstedt (2023-05-04 03:57:28)
> > > The judgement is not so much the specific CVEs as it is a network-facing
> > > service with a history of ongoing CVEs being maiantained effectively by
> > > only one person.
> >
> > Fair enough. I can understand that the state of the project didn't look good
> > when they made that call. So when does the release team start considering
> > packages for inclusion again? Mid 2025? Anything special you have to do
> > to make them take a second look at packages that were discarded in a prior
> > release cycle?
>
> We should simple be generally attentive to the package, at all times.
>
> Concretely, it would be great if you could look into cherry-picking the
> fixes for severe bugs (notably the CVEs) as patches for stable and
> oldstable.
>
> > BTW, I saw in your changelog commit:
> >
> > > [ upstream ]
> > > * new release
> > > + fixes CVE-2022-45188 CVE-2022-45188;
> >
> > Shouldn't this be:
> >
> > "fixes CVE-2022-43634 CVE-2022-45188"
>
> Whoops. Indeed - good catch!
>
> - Jonas
>
> --
> * Jonas Smedegaard - idealist & Internet-arkitekt
> * Tlf.: +45 40843136 Website: http://dr.jones.dk/
> * Sponsorship: https://ko-fi.com/drjones
>
> [x] quote me freely [ ] ask before reusing [ ] keep private
More information about the pkg-netatalk-devel
mailing list