[Pkg-netatalk-devel] CVE fixes for netatalk in oldstable

Thu Aug 31 06:23:52 BST 2023

Jonas,

Great feedback, thanks for taking the time to break this down.
There's definitely some cultural adjustment remaining for me!

The reason I cc'ed Markus specifically is because he was the one who took action on each of the CVE and regression patches for the Buster package over the last few months.
Your point is that if I want Markus's attention, I cc the Security Team ML and let them respond in accordance to their internal process, right?

Good idea to increase the severity of the ticket. Done!
Not sure if I succeeded in cc'ing this ML though.

Anyhow, I'm definitely planning to transition to the CLI interfaces for debian bugs shortly.
I finally have a reliable SMTP server that I can use, as well as a physical machine for Debian.
So far I've been using a bunch of transient VMs on a Windows PC for development (sorry!)

Cheers,
Daniel

------- Original Message -------
On Wednesday, August 30th, 2023 at 1:31 AM, Jonas Smedegaard <jonas at jones.dk> wrote:

> 
> 
> Hi Daniel,
> 
> [Markus and release team dropped as recipients]
> 
> Quoting Daniel Markstedt (2023-08-30 04:24:28)
> 
> > A few weeks ago I made a request for approval to make an oldstable-security (Bullseye) netatalk release with a large patchset for 9 CVE advisory fixes.
> > As mentioned in the bug, the exact same patchset has been applied to oldoldstable-security (Buster) with help from the Security Team (Marcus cc'ed here for transparency).
> > 
> > The bug is here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325
> > 
> > Would it be possible to get feedback on the proposed release?
> 
> 
> This followup question is sensible, but it is suboptimal to move the
> conversation away from the bugreport.
> 
> I guess your intent is to include the Netatalk team in the conversation.
> A better approach for that is to add the team email address with a
> special the email header when posting to the bugreport, like this:
> 
> To: 1049325 at bugs.debian.org
> X-Debbugs-Cc: pkg-netatalk-devel at alioth-lists.debian.net
> 
> It is generally considered not nice to single out individuals (but I
> might be missing a fair reason to do it here specifically).
> 
> Please consider reposting the above question to the bugreport,
> X-Debbugs-Cc the Netatalk team.
> 
> > I've only very recently joined as maintainer of the netatalk package so please bear with me if there is some obvious step that I'm overlooking.
> 
> 
> Fine that you mention this concern. For the record I don't think
> there's anything wrong in your original bugreport, and I guess the
> release team is simply busy. One detail, though: Since the issue is
> security-related, you might want to raise severity. You can do that by
> adding a pseudo-header as the very first line of email content, like
> this:
> 
> Control: severity -1 important
> 
> More on severities here:
> https://www.debian.org/Bugs/Developer#severities
> 
> Possibly a higher severity is reasonable.
> 
> If you only want to adjust severity or other metadata, without providing
> additional content, you can use command-like tool "bts", part of Debian
> package devscripts.
> 
> 
> - Jonas
> 
> --
> * Jonas Smedegaard - idealist & Internet-arkitekt
> * Tlf.: +45 40843136 Website: http://dr.jones.dk/
> * Sponsorship: https://ko-fi.com/drjones
> 
> [x] quote me freely [ ] ask before reusing [ ] keep private--
> pkg-netatalk-devel mailing list
> pkg-netatalk-devel at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-netatalk-devel