On 09/06/2018 22:29, Adam D. Barratt wrote: > On Fri, 2018-06-08 at 20:12 +0200, Sylvain wrote: >> On 08/06/2018 19:55, Adam D. Barratt wrote: >>> Control: tags -1 + confirmed >>> >>> On Wed, 2018-06-06 at 19:54 +0200, b...@debian.org wrote: >>>> Please consider this update to freedink-dfarc for stretch. >>>> It fixes a security issue that can overwrite arbitrary user >>>> files. >>>> Sending to stable following security team's directions from 2018- >>>> 06- >>>> 01. >>> +freedink-dfarc (3.12-1+deb9u1) stable; urgency=high >>> >>> Please use "stretch" as the distribution. >>> >>> + * Fix directory traversal in D-Mod extractor (CVE-2018-0496) >>> + * Upload to 'stable' as security team rejected a DSA to >>> + 'stretch-security' (no justification) >>> >>> The changelog is not the place for such commentary - please remove >>> it. >>> >>> With the above changes made, and assuming that the resulting >>> package >>> has been tested on stretch, please feel free to upload. >> As per Social Contract #3 I do have to explain to my users why they >> get the security fix after the disclosure. > As with basically all core teams, Debian's security team is generally > stretched in terms of manpower and can't handle every possible update > that's security-related. Things have to be prioritised and sometimes > those updates end up being provided via proposed-updates. That's always > going to be the case in a volunteer project, and even larger and/or > commercially-backed projects will still have to decide which updates > they handle before others. This isn't a problem as such, just the way > things are.
Workload: that's not what they say. When asked on IRC, they said the team was "fine". Priorities: I do accept them. However I can report that they are neither documented nor explained: - "In the past, uploads to |stable| were used to address security problems as well. However, this practice is deprecated" https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#upload-stable - "I don't think this warrants a DSA." is the sole explanation I could get. Plus, as I'm learning this 2-tier security support after years in Debian, I deemed this all-the-more relevant to the changelog. Incidentally, are you part of the Security Team? If yes, I'd appreciate that you say so. If not, that you don't speak for them. >> This is not a commentary, this is purely factual. > It's not a description of a change made to the package, nor information > that users need in order to decide whether they should be installing > it. As such, it is commentary. That has nothing to do with its > factuality or otherwise. It's a description of where the package is uploaded and why. Moreover I fail to see how adding this information is causing any harm, and in what way it's good to waste both our time complaining about it rather than just accepting the upload as-is. Since each question here needs a day or two to be answered, and since I'm not going to stall the update any more, I'll apply what will only look like helping hiding problems, as well as the AFAICS undocumented (https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable) stable->stretch change. Working on Debian is so depressing these days. - Sylvain
