On Wed, Jun 24, 2026 at 02:36:13PM -0400, Nicolas Mora wrote:
> Hello,
>
> Le 2026-06-24 à 14 h 11, Moritz Mühlenhoff a écrit :
> > > Thank you. Note for trixie-security Moritz did prepared a security
> > > updae which should go out soon.
> >
> > I was unaware of the existing trixie pu update since it hasn't been
> > proposed to the stable release managers yet.
> >
> That's on me, I prepared the trixie pu package but didn't sent it to the
> release team because I was overwhelmed in the last weeks. I was planning to
> do so next week.
>
> I will not send my pu package then.
>
> > Nicolas, I prepared the following backport yesterday and have uploaded
> > to security-master, please also have a look over it. I'll release the
> > DSA tomorrow.
> >
> I see that you backported the LIBSSH2_UNCONST macro, I didn't do that in
> unstable because I was asking upstream about that, they answered me that
> "The UNCOST cast is simply to quiet compiler warnings and is fine to ignore
> if back porting." [1].
Ah, great to have explicit confirmation from upstream! The macro was rather
straightforward, so that felt like the safer route. Especially since future
security patches to be backported might also make use of it going forward.
> So I think both approaches are fine, But I suggest to use the same patches
> in testing and trixie since they use the same release (1.11.1)
>
> I will probably use your patches instead for testing.
Sound good to me! I'll release the DSA tomorrow, autopkgtests for stable
are all fine as well.
Cheers,
Moritz
