On Mon, 2020-05-25 at 00:13 +1000, Hugh McMaster wrote: > Hi Adam, > > On Thu, 21 May 2020 at 19:34, Adam D. Barratt wrote: > > On Thu, 2020-05-21 at 09:30 +0000, Mike Gabriel wrote: > > > Sorry for the delay. I have uploaded +deb9u2 and +deb10u2 of > > > libexif > > > now. I will write the SRU acceptance request bugs this afternoon. > > > > > > > There's already #961019 and #961020... > > Owing to three more CVEs in libexif, I need to prepare new releases > for Jessie, Stretch and Buster. > > For Stretch and Buster, should the debdiff show changes against the > current (old)stable release or changes against the most recent > proposed version? > > Put another way, should this new version be +deb9u2 (replacing the > proposed version) or +deb9u3 (an incremented version)?
Personally, it probably makes more sense for the new stretch version to be +deb9u3, built on top of the already uploaded package (and similar for buster) with a second release.d.o bug describing the new fixes. You /can/ re-use the version if that would be preferable, as the package is still in (old)stable-new right now, but that will require a reject+reupload cycle, and presumably corresponding re-tag on the git side. I'm assuming that all of the fixes are either already present in unstable, or aren't relevant there. Regards, Adam
