Fwd: shibboleth-sp security upload
Ferenc Wagner
wferi at niif.hu
Wed Mar 25 10:25:24 UTC 2015
Hi Russ,
I'm asking for you help doing the below security uploads.
(Of course any other interested DD is also welcome to step up, Russ
seems very busy nowadays.)
The advisory URL is wrong in the commit message on the wheezy branch,
but there's not much I can do about that. Sorry.
There will also be a wheezy-backports upload, once these are cleared.
I can tag the respective Alioth branches once the uploads are made.
Concerning the tags: what's the trick to get gbp include the .changes
text in the annotation? Or is it manual work?
Thanks,
Feri.
-------------------- Start of forwarded message --------------------
Subject: Re: shibboleth-sp security upload
From: Yves-Alexis Perez <corsac at debian.org>
To: Ferenc Wagner <wferi at niif.hu>
Cc: team at security.debian.org
Date: Wed, 25 Mar 2015 08:12:26 +0100
On mar., 2015-03-24 at 09:57 +0100, Ferenc Wagner wrote:
> Yves-Alexis Perez <corsac at debian.org> writes:
>
>> Since the issue is now public, you can upload an isolated fix to
>> unstable and ask the release team for a freeze exception.
>>
>> You can also build the wheezy fix (remember to build in a clean wheezy
>> chroot with dpkg-buildpackage -sa since it was never uploaded to
>> wheezy-security). Then upload to security-master.
>
> Unfortunately, I need a sponsor to upload for me. I published the
> wheezy fix under http://apt.niif.hu/upload/, and the unstable fix at
> https://mentors.debian.net/package/shibboleth-sp2.
>
> Can you sponsor these uploads or should I ask around?
Sorry, I definitely can't for the unstable part. You should do as usual.
I can try to build a wheezy one but it might be faster if you ask your
usual sponsor.
> Apart from these, at least a wheezy-backports upload will be needed.
> I've prepared the packages, shall I coordinate that upload with you as
> well?
No, we don't handle backports.
> Further, the squeeze and squeeze-backports versions are also
> vulnerable, shall I prepare packages for those?
The squeeze-lts team might handle the squeeze part, but I don't think
squeeze-backports are still supported or worth it.
Regards,
--
Yves-Alexis
-------------------- End of forwarded message --------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-shibboleth-devel/attachments/20150325/995438ae/attachment.sig>
More information about the Pkg-shibboleth-devel
mailing list