On Sun, Feb 04, 2007 at 11:11:56PM +0100, Bart Martens wrote:
> On Sun, 2007-02-04 at 22:20 +0100, Moritz Muehlenhoff wrote:
> > Bart Martens wrote:
> > > Bug 402822 was tagged "security" on 14 Dec 2006. I'm not sure whether
> > > your team scans the BTS daily for bugs tagged "security". :)
> > >
> > > Any suggestions on how to handle this bug?
> > >
> > > New sarge users won't install the insecure plugin, because installing
> > > flashplugin-nonfree 7.0.25-5 cannot download the insecure plugin. So
> > > removing flashplugin-nonfree 7.0.25-5 from "stable" won't make anything
> > > more secure.
> > >
> > > Existing sarge users might still be using the insecure plugin. I could
> > > create flashplugin-nonfree 7.0.25-6 removing the insecure plugin without
> > > installing a new plugin, with a debconf dialog at level "critical"
> > > explaining the removal and suggesting backports.org.
> >
> > non-free/contrib isn't supported by the Security Team. However, it appears
> > to me as if upgrading Sarge through a stable point update to the latest
> > fixed
> > upstream (9.?) would be the best solution. It's a rocky upgrade path, but
> > that's what you have to bear when running proprietary software.
>
> So your advice is to create a package for Sarge to install Flash 9. Two
> questions about that:
>
> 1. Must that package be created starting from 7.0.25-5 (ruby), or is it
> OK to start from 9.0.31.0.1 (shell scripting) ?
>
> 2. Which procedure must be followed, "uploads to the stable
> distribution" or "Handling security-related bugs" ?
> http://www.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-upload-stable
This one, but you should discuss 1.) with the stable release managers first.
It's
their call.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
