Hi, On 20/03/2020 18:04, Utkarsh Gupta wrote: > On Fri, Mar 20, 2020 at 5:33 PM Sylvain Beucler <[email protected]> wrote: >> These are 2 cases (request from Jessie user or from maintainer) that I >> yet to see :) >> Do you have a specific case in mind? > I do. But I am not very sure if I should mention the user thingy > publicly or not.
We can discuss the specific vulnerability. Otherwise I would stick to the minor/unimportant guidelines from my previous mail (i.e. from https://security-team.debian.org/security_tracker.html). If a user requires a minor/unimportant fix though, that may mean that the bug was incorrectly categorized and could be re-evaluated with additional input in data/CVE/list. > Anyway, the other case (where the maintainer wants to fix) is phpmyadmin. > Of course, he being the upstream and downstream maintainer, wanted to > fix this in Jessie. Hmm, I'm curious. What vulnerability would he like to fix that we didn't? This may mean we should have. > And I am happy to help in such cases, because why not? > Just curious, if such a case happens, should I/we issue a DLA or not? Any DD can directly update Jessie following: https://wiki.debian.org/LTS/Development with no additional privileges (that's what postgresql's maintainer does). You can certainly send a DLA on behalf of the uploader, if they don't want to do it. Cheers! Sylvain
