Hi Jörg, On Fri, May 26, 2017 at 12:04 AM, Jörg Frings-Fürst <[email protected]> wrote: > Hi Vincent, > > > first thanks for your review. > > Am Donnerstag, den 25.05.2017, 22:50 -0700 schrieb Vincent Cheng: >> Hi Jörg, >> >> On Thu, May 25, 2017 at 1:23 PM, Jörg Frings-Fürst >> <[email protected]> wrote: >> > Hello Vincent, >> > >> > I have a bugfix release ready for a review. >> > >> > My changes: >> > >> > libonig (5.9.1-1+deb7u1) wheezy-security; urgency=high >> > >> > * New debian/patches/0500-CVE-2017-922[4-9].patch: >> > - Cherrypicked from upstream to correct: >> > + CVE-2017-9224 (Closes: #863312) >> > + CVE-2017-9226 (Closes: #863314) >> > + CVE-2017-9227 (Closes: #863315) >> > + CVE-2017-9228 (Closes: #863316) >> > + CVE-2017-9229 (Closes: #863318) >> > * debian/control: >> > - Add myself as maintainer. >> > >> > Build with pdebuild are ok. The test with the newest lintian has a lot >> > of warnings. >> > >> > The package is uploaded to mentors[1]. The debdiff is attached. >> > >> > Please can you review it? >> >> In your upload to mentors.d.n, why has the source tarball been changed >> and versioned as if libonig was a native package (it's not)? Also, if >> I'm not mistaken, it doesn't look like your CVE patch is actually >> applied when I attempt to build your package. >> > > Sorry my mistake. I don't see that there was no d/source/format. > > I add them, build und test the package. The patch is now applied. > > The package is uploaded again[1].
Looks good, uploaded. Thanks for preparing the upload! >> Have you updated dla-needed.txt, obtained a DLA id and prepared an >> announcement for debian-lts-announce, as described in [1]? >> > No, I have no rights to do it. But I have yesterday ask Raphael Hertzog > and the LTS-Team to do it. Ok, sounds good. Regards, Vincent
