hi, On Mon, May 25, 2020 at 07:47:56PM +0200, Moritz Mühlenhoff wrote: > On Mon, May 25, 2020 at 10:22:50AM +0200, Sylvain Beucler wrote: > > Hi Security Team, > > > > What is your view on updating mysql-connector-java 5.1.42->5.1.49 for > > Stretch? > > We can update to 5.1.49, yes. We've had to update it to new 5.1.x > releases in the past and I don't remember any issues. The fact > that there's zero information totally sucks, but there's nothing > we can do either (apart from removing it as we did a year ago). > > Looking at the debdiff from > https://www.beuc.net/tmp/debian-lts/mysql-connector-java/ > the remaining change would be to change the version number to > 5.1.49-1~deb9u1 and the targets distro to stretch-security.
I'm a bit late to the party, but just want to give my 2 cents on the versioning scheme. Agreed here to not use the really-something variant. usually I think this is usefull when you have rebased soemthing to a *higher* version, but need to rollback. Example: graphicsmagick/1.4+really1.3.35+hg16296-1 or lxc/1:3.1.0+really3.0.4-3 (other examples exists) So I think the proper version would be either what Moritz said, 5.1.49-1~deb9u1 or 5.1.49-*0*+deb9u1. For practical reasons there is no difference, both work. usually it just more points out what the upload does. 5.1.49-1~deb9u1 would give more a hint like "this update is rebuild of 5.1.49-1 for stretch, possibly minus/plus some additional changes". 5.1.49-0+deb9u1 (please not the 0, not -1+deb9u1) means more something like "we imported upstream 5.1.49 on top of the current packaging plus/minus probably some additional changes". Personally I would go with 5.1.49-0+deb9u1 due to the meaning, there are other source packages which follow this schema. Other do with the ~debXuY variant. For both in any case we have 5.1.49-0+deb9u1 <= 5.1.49-1 and 5.1.49-1~deb9u1 <= 5.1.49-1. And as usual there are as well excpetions. Anyway, I would suggest to not use the +really syntax. Regards, Salvatore
