[Secure-testing-team] squeeze webkit security update

Michael Gilbert michael.s.gilbert at gmail.com
Mon Feb 21 18:20:40 UTC 2011


On Mon, 21 Feb 2011 18:42:31 +0100, Thijs Kinkhorst wrote:
> Hi Mike,
> 
> On Monday 21 February 2011 18:23:52 Michael Gilbert wrote:
> > I've prepared a package for the new stable upstream webkit 1.2 branch
> >  [0]. That branch now only contains security fixes.  Would it be OK to
> > push this new upstream version as a DSA for squeeze?
> 
> Thanks. I think conceptually this is a good idea, I do have some practical 
> issues with the current package:
> 
> - The version number 1.2.7-1 won't work for stable since this is higher than 
> testing/unstable. In the past this would be propagated automatically to the 
> latter ones but I think that hasn't worked for many years now. 

Is there any way to restore this functionality?  This would be the
ideal solution.

> The best way 
> forward depends a bit on the plan for sid:
> * If you want upload 1.2.7-1 there,you can upload 1.2.6-2+1.2.7-1 (or 
> something like 1.2.7-0+squeeze1 when wheezy has 1.2.7-1) to squeeze.
> * If you want to upload 1.3 there, we can accept 1.2.7-1 in squeeze as soon as 
> 1.3 is in testing.

We're planing to only upload security updates to sid/wheezy for a while
now (until the next stable upstream webkit release).  It would be
preferable if we can make one upload to all three (squeeze, wheezy,
sid) at the same time.

> - The changelog doesn't seem to mention any CVE id's.

Oops, I do need to fix that.

> - You add yourself as maintainer and DM-uploader even though you don't have 
> that position in unstable. Is this agreed upon with the current maintenance 
> team?

Yes, I've been working with Gustavo to prepare this update, and I
think he agrees with DM-uploader status for me (I've CC'd the webkit
maintainers for a response).

Best wishes,
Mike



More information about the Secure-testing-team mailing list