Hi Nicholas, On Mon, Jun 12, 2023 at 07:44:52PM -0400, Nicholas D Steeves wrote: > Control: block 1033341 by -1 > > Dear Salvatore and release team, > > Salvatore Bonaccorso <car...@debian.org> writes: > > > On Tue, Jun 06, 2023 at 11:00:14PM -0400, Nicholas D Steeves wrote: > >> +org-mode (9.4.0+dfsg-1+deb11u1) bullseye-security; urgency=medium > >> + > >> + * Fix Org Mode command injection vulnerability CVE-2023-28617 by > >> backporting > >> + 0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch like > >> src:emacs > >> + did (Closes: #1033341). Thanks to Rob Browning's work in that > >> package, > >> + fixing org-mode was trivially easy! > >> + > >> + -- Nicholas D Steeves <s...@debian.org> Sun, 04 Jun 2023 13:26:52 -0400 > > > > Small remark, for the bullseye pu update please target at 'bullseye' > > not 'bullseye-security'. > > > > Done. That was actually my first instinct, but I thought the existence > of a CVE would destine the upload to the -security queue! I was wrong, > but this is a teaching/learning moment. > > Is it as simple as: Use the -security queue when a DSA is needed, > otherwise use the normal distribution code name and the foo-updates > queue? No need to explain if it's more complicated and if you're busy. > (I couldn't find documentation of this in the Dev Ref)
What is as well different for the uploads is to which upload queue you would upload in the end. ftp-master for the proposed-updates via point release, security-master for the security uploads. There are two good entry points about the uploads for stable: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#handling-security-related-bugs Hope this helps! Regards, Salvatore