El 30/12/24 a las 19:24, Otto Kekäläinen escribió:
I see you now tagged debian/2.46.0-2 and likely uploaded it.
Yes, as a team upload.
Why were you in such a hurry?
Because CVE-2024-52308 seems grave enough for that, and fixing it in unstable is usually a prerequisite for a stable fix.
Why couldn't you let the Go team take care of this?
Well, in some sense I did. I joined the Go team to fix things like this. Mainly in stable, but not only.
You bypassed now both code reviews and uploaded despite failing CI.
I tested the package locally and it built ok while previously it did not, so your fix for the Glamour v0.8.0 issue seemed correct, and I also checked that the fix for CVE-2024-52308 matched the upstream fix. So, the upload seemed good enough given the severity of CVE-2024-52308, and now we can think about fixing CVE-2024-52308 in stable. If you think I did wrong, well, I'm sorry. Thanks.
