[DRE-maint] Debian LTS Security update of ruby-rest-client (advice needed)
Raphael Hertzog
hertzog at debian.org
Fri May 20 12:16:14 UTC 2016
On Fri, 20 May 2016, Antonio Terceiro wrote:
> > I see two options:
> > 1) I upload this fix above and we introduce the ruby-http-cookie (its
> > dependencies are already there, I have tested with the jessie version of
> > ruby-http-cookie on wheezy, so it is just to add this package too)
> > 2) We tell that the fix is not important enough.
> > I do not see the point in trying to change the correction in some other way
> > for wheezy.
>
> Can you introduce new packages in LTS? If you can, then just doing that
> and using the patch that was applied in jessie is probably good enough.
Technically we can but we need a ftpmaster to process NEW on
security.debian.org I guess.
>From a policy point of view, I have mixed feelings. It means the security
upgrade might not be picked by "apt-get upgrade" due to the new
dependency.
Is the CVE severe enough to justify that extra work?
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
More information about the Pkg-ruby-extras-maintainers
mailing list