Antoine Beaupré <anar...@orangeseeds.org> writes: > That said, if we do fix this in jessie, we should do it at the same time > as the regression identified in stretch (DSA-4377-2).
> Russ, do you want to handle the Jessie update or should the LTS team do > it? > Should we wait for resolution on this issue before shipping the errata? Apologies for the delayed reply -- I had company for the holiday weekend in the US. I think the regression identified at: https://bugs.launchpad.net/ubuntu/+source/rssh/+bug/1815935 is sufficiently serious to warrant another regression fix in stable, if the security team agrees. I'm going to prepare a new package for unstable and stable with a fix for that regression, and can do oldstable at the same time and roll in the DSA-4377-2 regression fix. While I agree that using undocumented features of rsync is a little dubious, I'm also willing to include a fix to allow the specific command line "rsync --server --daemon <path>" since (a) it seems to be safe, (b) looks easy enough to do, and (c) my only goal with rssh at this point is to keep it working through the stable support period, so I'm not too worried about the long-term maintenance burden of one-off hacks like that. I should be able to do this later today. Does this plan sound good to everyone? I'll follow up with the proposed diffs for stable and oldstable. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>