On Wed, 07 Dec 2016 at 11:55:50 +0100, Vincent Bernat wrote: > ❦ 7 décembre 2016 11:27 +0100, Guilhem Moulin <guil...@guilhem.org> : > >>>> Unfortunately 1.2.x has many dependencies that aren't in >>>> jessie-backports yet. I personally don't have the time nor energy to >>>> maintain said dependencies, so we asked backports folks for an exception >>>> to stick to 1.1.x for the bpo version, exception which was rejected. >>>> I'm afraid the remaining alternative is to take remove the package from >>>> jessie-backports :-( >>> >>> Since the problem is quite serious, could you push the fix in bpo8+2 >>> nonetheless? Then wait a bit before asking for removal from backports to >>> let actual users get an updated version. It seems far better than just >>> leaving some people with vulnerable versions on their systems. >> >> Just tagged and pushed ‘debian/1.1.5+dfsg.1-1_bpo8+2’. Note that I >> moved jessie-backports's HEAD to its parent first as is was on >> debian/1.1.6+dfsg.1-1_bpo8+1 which didn't make it to bpo. Running >> >> git branch jessie-backports debian/1.1.5+dfsg.1-1_bpo8+1 >> >> before pull should fix this. Sorry for the inconvenience. > > Is the tag for debian/1.1.5+dfsg.1-1_bpo8+1? The diff for it is pretty > big.
1.1.5+dfsg.1-1_bpo8+1 is the current version from jessie-backports (since April 29). The diff between 1.1.5+dfsg.1-1_bpo8+1 and 1.1.5+dfsg.1-1_bpo8+2 is merely the upstream fix https://anonscm.debian.org/cgit/pkg-roundcube/roundcube.git/diff/?id=debian/1.1.5%2bdfsg.1-1_bpo8%2b2&id2=debian/1.1.5%2bdfsg.1-1_bpo8%2b1 -- Guilhem.
signature.asc
Description: PGP signature