[pkg-fetchmail-maint] Re: fetchmail sec bug

Lucas Wall lwall at debian.org
Tue Aug 9 03:02:42 UTC 2005 

Nico Golde wrote, On 08/08/05 19:42:
> Hi,
> * Lucas Wall <lwall at debian.org> [2005-08-08 21:41]:
> 
>>Nico Golde wrote, On 08/08/05 15:27:
>>
>>>Hi,
>>>#320357 is closed, what I had done wrong?
>>>It should be open for stable.
>>>Please help.
>>
>>The bug is closed in unstable, but not in stable. Check:
>>
>>http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=fetchmail&dist=stable
>>
>>Note the "dist=stable" at the end of the link. You can also see the
>>"Found in versions ..." line at the top of the bug report.
>>
>>Well... If you put "unstable" you will also see it open. Thats because
>>hurd-i386 still has version 6.3.5-12.
> 
> 
> Mhm yes but whats with the:
>     * Will be archived: in 26 days. 
> ?
> 
> 
>>When you ask for a particular distribution you will see the versions
>>involved after the main title in the bug list page.
>>
>>You can close a bug for a particular version using the command:
>>
>>close <bug nbr> <version>
>>
>>When a bug is closed with an upload the bug is closed for the version
>>indicated in the changelog block it is in.
> 
> 
> i know but why the website says it will be archived it isn't
> closed?

Hmmmm... I see the point. Well, I haven't seen the latest changes to the
BTS source so I can only guess. The version feature is new so I'm sure
there are several things to fine tune. I now see new headers I hadn't
seen before, like: "not applicable to this version".

I don't really know what will happen in 26 days with that bugs.

>>The sec team should eventually upload a new version for stable,
>>something like 6.2.5-12.sarge1. The bug should then be closed for this
>>particular version.
> 
> 
> Yes, I mailed them.
> 
> 
>>BTW... Did you hear anything else from the sec team? What exactly did
>>you send them? Just the patch for fetchmail or did you prepare an upload
>>for them?
> 
> 
> I send them the patch not a whole package but they for shure
> can use the package from unstable cause there is no upstream
> version change.

They can't use the package from unstable even if there is no upstream
version change. The new package for stable must have the security fix
*alone*, no other changes. Even if there is no new upstream version we
did a coupple of changes to the package after Sarge.

> I got one mail from Steve Kemp who asked for the patch and
> then never heard anything about from them.
> If I miss something, correct me but if not I think its a
> shame to have an open security bug in sarge after some weeks. All other
> distributions fixed it and it is easy to fix.

Well... The Developers Ref suggests preparing a package for them. The
security team must still check and upload the package, you just make
their lives a little bit easier.

K.-

-- 
Lucas Wall <kthulhu at kadath.com.ar>      .''`.
Buenos Aires, Argentina                : :ø :   Debian GNU/Linux
http://www.kadath.com.ar               `. `'  http://www.debian.org
PGP: 1024D/84FB46D6                      `-
     5D25 528A 83AB 489B 356A        http://people.debian.org/~lwall
     4087 BC9B 4733 84FB 46D6        mailto:lwall at debian.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-fetchmail-maint/attachments/20050809/42612b6e/signature.pgp

More information about the pkg-fetchmail-maint mailing list