[Pkg-cyrus-sasl2-commits] r433 - in /cyrus-sasl-2.1/branches/heimdal/debian: changelog repack.sh watch
Fabian Fagerholm
fabbe at paniq.net
Sun May 24 18:40:26 UTC 2009
On Sat, 2009-05-23 at 09:24 -0400, Roberto C. Sánchez wrote:
> Then I am curious as to what the "right" way to handle this is.
[...]
*sigh*
I went ahead and made the version update myself. I'm usually happy to
share knowledge about Debian packaging, but in this situation we have a
grave security flaw to deal with, and it doesn't seem like the best time
to practise anymore. :(
Also, you left the SVN repository in an incomplete and unbuildable state
although you had tagged the new version. I had to revert a lot of your
changes and clean up the source tree, now unfortunately with no time to
consider which changes were correct and which were not. For example,
naming the orig tarball "...+dfsg" conflicts with the naming conventions
for security uploads, so we would have had to invent a naming scheme of
our own to be able to give security support in the future, which would
likely have made the Security Team's work more annoying. I should have
told you not to make this change, but I didn't think of it before and I
assumed that you knew what you were doing and were considering all
relevant aspects since you indicated that you would make the security
release.
It seems that you were unsure of how to properly handle the security
issue and didn't have time to complete it. Maybe you felt pressured by
my status enquiries. I definitely did not mean to indicate that it was
your task to do, I was trying to get a realistic assessment from you.
It's ok not to have time, but it's not ok to first indicate that you
will do something and then leave the work unfinished! For now, maybe it
would be best if you practised some more before making releases and
especially security releases. It's easy to invent some patch of your own
and practise the release procedure without making any SVN changes or
real uploads. Also, you may want to read the Security FAQ [0] and the
relevant portions of the Debian Developer's Reference [1].
I hope I'm not coming through as hostile. I'm not angry, just
disappointed.
[0] http://www.debian.org/security/faq
[1] http://www.debian.org/doc/developers-reference/pkgs.html#bug-security
--
Fabian Fagerholm <fabbe at paniq.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-cyrus-sasl2-debian-devel/attachments/20090524/3c8bc531/attachment.pgp>
More information about the Pkg-cyrus-sasl2-debian-devel
mailing list