Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Short version: Please unblock file 1:5.22+15-1
It entered unstable a few weeks ago, I did extensive testing before
upoading and no issues have been reported. However, switching to a new
upstream version still requires a longer explanation.
Since the latest version in jessie (1:5.20-2), at least six¹ security
issues were fixed upstream. The usual way to handle this in Debian was
to cherry-pick the relevant commits from upstream. Together with the
required prerequsites, this would have resulted in some 18 commits to
add to the patch queue, creating a complex start for file in jessie.
My decision to forward to a new upstream version (plus some more
commits) instead was also driven by the experience of backporting
fixes for wheezy and squeeze-lts which became quite complex, always
carrying the risk of introducing new bugs. For jessie, I'd like to
start at a late point so fixing future security bugs will be easier.
Note, I have not attached the debdiff as it's rather huge, some
69k lines. I will hand it in later upon request.
Kind regards,
Christoph
¹ <https://security-tracker.debian.org/tracker/source-package/file>
Unless noted in the tracker, the sid version of file does
contain the fix for CVE-2014-9653. Upstream fix is commit 445c8fb
(FILE5_21-10-g445c8fb) which is included in 5.22.
signature.asc
Description: Digital signature
