[Pkg-roundcube-maintainers] Bug#536498: closed by Nico Golde <nion at debian.org> (Re: Bug#536498: Please backport roundcube CVE-2008-5619)

Gerfried Fuchs rhonda at deb.at
Mon Jul 13 09:01:29 UTC 2009

* Benjamin Bannier <benjamin.bannier at netronaut.de> [2009-07-10 20:08:57 CEST]:
> On Fri, 10 Jul 2009 19:45:41 +0200 Nico Golde <nion at debian.org> wrote:
> > > I see roundcube-0.1.1-10~bpo40+2 still in backports. [..]
> > 
> > That's why I marked this bug as done with the unstable version.
> Sorry, maybe I got confused. I reported this bug here because the
> backports version was listed in the list of Debian packages. 

 Yes, that's a service along the path to get backports more integrated
and official. We unfortunately aren't there yet.

> If backports doesn't even have bugtracker (couldn't find one on
> their homepage) this is maybe the right time to dump if from my
> sources.list.

 The <backports-users at lists.backports.org> mailinglist[1] is as good as you
can get currently. A request tracker is in the works. Please also see
the informations available on e.g. [2] about who did the actual backport
- in this case it was Holger Levsen. Though, I just asked him and he
said that he doesn't care about etch-backports.

[1] <http://lists.backports.org/mailman/listinfo/backports-users>
[2] <http://www.backports.org/~formorer/changes/etch-backports.html>

> > > I urge you to please make a version bump to backports since this is
> > > a security issue.
> > 
> > The best would be probably to ping the one who did the initial
> > backport. I CCed Alexander Wirt and Gerfried Fuchs (from
> > backports.org), maybe they can help you.
> Thanks. This should really be fixed.

 I usually track things in backports and prod the people who uploaded
the packages there or jump in myself. I'm though just one person and can
only do as much as I can do and offer best effort. Thanks for bringing
the issue directly to my attention, Nico. :)

 Given that Holger gives a damn I'm willing to invest the neccessary
effort in case Alexander doesn't remove the package earlier than I am
able to produce the working backport.

 So long, and sorry for the inconvenience.

More information about the Pkg-roundcube-maintainers mailing list