Hi Simon, On Sun, Jul 30, 2023 at 09:48:57PM +0100, Simon McVittie wrote: > On Sun, 30 Jul 2023 at 22:04:24 +0200, Salvatore Bonaccorso wrote: > > For bullseye I think we should simply pick the upstream commit? > > Yes: we didn't keep up with upstream 2.50.x so there are a bunch of > unrelated fixes (2.50.4 up to .7) which would be out of scope for a > security update. If it was a package I knew better then I might be > advocating the new upstream release, but I can't really assess risk vs > benefit for librsvg, so cherry-picking the equivalent of .8 and .9 seems > more conservative. > > <https://salsa.debian.org/gnome-team/librsvg/-/merge_requests/20> > compiles successfully, I'll try it in a bullseye VM next.
If you are happy with the results and coverage from unstable, would you be open to prepare/finalize next the respective updates for bookworm-security and bullseye-security? Thanks a lot for your work so far on it! Regards, Salvatore