On Mon, Apr 08, 2019 at 12:32:35PM +0000, Holger Levsen wrote:
> Hi,
> 
> I've done this again and am considering (in general) to not write these mails
> anymore. Please speak up if you think these mails are useful (or could
> be made more useful.)
> 
> Today I do feel it's useful to point out, that one should not merely
> reclaim the packages but also update the notes and explain why the
> package is claimed for long but not uploaded. Else it will be unclaimed
> again next week.
> 

Perhaps there needs to be a way to tag or otherwise identify packages in
a "holding" status.  In my case, I have python2.7 (LTS/ELTS), python3.4
(LTS), python2.6 (ELTS), and python-urllib3 (ELTS/LTS).*  All are
affected by various CVEs out of a group which has been identified by
upstream.  Some CVEs have patches, while others are still awaiting
upstream action.  I have already integrated patches for those CVEs which
have them and hence have packages which are partially ready.

It doesn't make sense to me to upload right now with only some
vulnerabilities patched (or none for same cases where a package is only
affected by the one or two CVEs which have no upstream patch yet).  I
suppose that I could push everything to Salsa and unclaim the packages
(leaving a link to where I've pushed my work), but I do intend to apply
upstream's patches as soon as they become available, test, and upload.
It seems not especially efficient for me to go to the trouble of
cleaning up the in-progress work to push to Salsa.

Is there perhaps a way of thinking about this that I am missing?

Regards,

-Roberto

* Of course, apart from those which were unclaimed from my by the most
  recent run.

-- 
Roberto C. Sánchez

Reply via email to