[Pkg-monitoring-maintainers] ganglia update for Squeeze (CVE-2012-3448)
daniel at pocock.com.au
Sun Jan 20 10:03:10 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 20/01/13 10:44, Yves-Alexis Perez wrote:
> On dim., 2013-01-20 at 10:40 +0100, Daniel Pocock wrote:
>> In practice, people do stuff like this every day, but usually
>> when compiling for a single platform where they can see the
>> results themselves. I just don't know if there is some more
>> pedantic approach to managing this type of risk for updates to
>> stable and would appreciate feedback on that, however...
> Well, if a oneliner patch is not applied because of autotools, we
> really have a problem. And indeed, by only including the oneliner
> patch, we make sure nothing else changed in Squeeze, since the
> buildds still run the same compilers version it was used before.
If that is the case, then there is no problem
>> Minimal change would mean exactly what I described: not producing
>> any new binary packages for ganglia-monitor.deb, gmetad.deb, etc.
>> We would only release the ganglia-web.deb binary package.
> We're not interested in binary packages in Debian but you're indeed
> free to do that kind of QA work upstream.
I'm not quite sure what you mean there... any package produced by
dpkg-buildpackage is, by definition, a binary package, even in the
case of ganglia-web.deb, which just contains un-compiled PHP text
files copied from the source package.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Pkg-monitoring-maintainers