Hi Michael, [Giving my opinion only, final word is obviously to the release team]
On Wed, Apr 08, 2020 at 04:11:31PM +0200, Michael Biebl wrote: > Package: release.debian.org > Severity: normal > Tags: buster > User: [email protected] > Usertags: pu > > Hi, > > I'd like to make a stable/buster upload for systemd fixing CVE-2020-1712 > https://security-tracker.debian.org/tracker/CVE-2020-1712 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950732 > > After talking to the security team (namely Salvatore), we decided to fix > this issue via a stable upload. > > The debdiff is a bit on the larger side, unfortunately. > Salvatore made a smaller backport avoiding some of the refactorings > that were done upstream > https://salsa.debian.org/systemd-team/systemd/-/merge_requests/69 > > I decided to go with the backport provided by upstream that was done for > the v241-stable branch mainly for two reasons: > - It makes potential future cherry-picks easier > - Doing our own backport has the potential to introduce Debian specific > bugs > > That said, if you prefer the more minimal backport from Salvatore, > please let me know and I'll redo the upload accordingly. While I did the work, I would as well strongly prefer to go rather the upstream route and be on safe side. I tried to diligently backport it but as upstream did provide their own approach to v241 branch I think this would be better by means of the two raised reasons from Michael above. Thank you Michael for working towards a fix for the issue for buster. Regards, Salvatore
