[Pkg-sass-devel] Bug#921952: Bug#921952: Don't include in buster without proper commitment to update in stable

[Aljoscha Lautenbach]

Hi,

> @Aljoscha: Thanks for your initial work and - more so - for
> committing to help generally looking after these security issues in
> libsaass.

> Due to the expansion of the libsass team with Aljoscha, I am
> lowering severity of this bugreport.

Just in case that was not clear in my initial message, that is indeed
the intention. On any given week I can spend 0.5 to 4 hours on this,
so this will not be an instantaneous change, but a slow and steady
effort.

I have continued to update the little CVE table I sent earlier, and I
will start to update and file bugs accordingly soon (where
"soon" ~= 3 weeks, due to upcoming vacation).

Kind regards,
Aljoscha

On Tue, 16 Apr 2019 at 16:51, Jonas Smedegaard <dr at jones.dk> wrote:
>
> control: severity -1 important
>
> Quoting Aljoscha Lautenbach (2019-04-09 23:03:06)
> > during the BSP in Gothenburg last weekend I discussed with Jonas how I
> > could help to put libsass back on track regarding its security status.
> > We agreed that the best move is to start with triaging the existing
> > Debian bugs and by identifying the CVE status in upstream's issue
> > tracker. [0]
>
> @Aljoscha: Thanks for your initial work and - more so - for committing
> to help generally looking after these security issues in libsaass.
>
> Due to the expansion of the libsass team with Aljoscha, I am lowering
> severity of this bugreport.
>
> If the security team or others disagree, then please elaborate what you
> consider is needed.
>
>
>  - Jonas
>
> --
>  * Jonas Smedegaard - idealist & Internet-arkitekt
>  * Tlf.: +45 40843136  Website: http://dr.jones.dk/
>
>  [x] quote me freely  [ ] ask before reusing  [ ] keep private