On Fri, 20 May 2016, Antonio Terceiro wrote: > > I see two options: > > 1) I upload this fix above and we introduce the ruby-http-cookie (its > > dependencies are already there, I have tested with the jessie version of > > ruby-http-cookie on wheezy, so it is just to add this package too) > > 2) We tell that the fix is not important enough. > > I do not see the point in trying to change the correction in some other way > > for wheezy. > > Can you introduce new packages in LTS? If you can, then just doing that > and using the patch that was applied in jessie is probably good enough.
Technically we can but we need a ftpmaster to process NEW on security.debian.org I guess. >From a policy point of view, I have mixed feelings. It means the security upgrade might not be picked by "apt-get upgrade" due to the new dependency. Is the CVE severe enough to justify that extra work? Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
