[Pkg-salt-team] Next salt upload

[Joe Healy]

Hi,

I have been a little unsure about the next step to take with uploading
salt.

The situation at the moment is:

1) There are 2 recent RC bugs:

 a) due to me missing new files added by upstream with different
    copyright and licences [1]

 b) due to some security issues identified with CVE numbers assigned
    [2]

2) Upstream have released 0.17.1 to pypi, which supposedly contains
   some security fixes. I am not clear on the relationship between the
   security issues fixed and the assigned CVE numbers.

Given [1] applied to some files in both 0.16.4 and 0.17.0 and my aim
to get 0.16.4 backported to squeeze-backports-sloppy, my plan was to
fix up the issues relating to [1] in 0.16.4, and once a fixed version
of 0.16.4 had progressed to testing, prepare 0.17.1 which will need to
go through the NEW queue.

The downside to this approach is it leaves the security issues open
for longer. The benefit is that it gets the packaging issues solved
now, without having to go through the NEW queue.

The alternate approach is to fix the packaging issues [1] in 0.17.1
and send that through the new queue now. I'm not certain this will
close the security issues, but will mean that both issues are
addressed in a shorter overall timeframe.

At this stage, I think I do the second approach (0.17.1 through NEW
now) because of the security and other fixes. It will need a DD
(hopefully you madduck) to upload it, and I will ensure as far as
possible that we do not have similar problems to last time.

If anyone disagrees with the above plan, please let me know and I will
consider what to do based on the suggestion.

If I hear nothing, I will proceed with the second option over the
course of this weekend.

Thanks,

Joe




[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725999
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726480