Hi Duncan, On Tue, Feb 13, 2007 at 05:09:44PM -0500, Duncan Findlay wrote: > SpamAssassin 3.1.8 will be released shortly with a fix for > CVE-2007-0451, among other changes.
> What I'd like to know is whether I should build a 3.1.7 package with > the backported security fix, or whether I should upload 3.1.8 to > unstable and ask that it be propogated to testing. What are the > guidelines in this area? > Here's a summary of the changes from 3.1.7 to 3.1.8: > 3.1.8 is a major bug-fix release, including the following issues: > - bug 5318: set a maximum internal length for URIs > - bug 5240: disable perl module usage in update channels unless > --allowplugins is specified this one in particular seems like a behavior change that shouldn't be introduced into etch at this late stage of the freeze. > - bug 5056: remove Text::Wrap related code due to upstream issues hmm, also sounds like a risky change during a freeze. So yes, a backport of the security fix would be appreciated. > If a backport is needed, do I upload 3.1.8 to unstable and then > 3.1.7-2 to t-p-u or is it better to upload 3.1.7-2 and wait for it to > propogate before uploading 3.1.8. It's better to upload 3.1.7-2 to unstable first and let it propagate to testing, since the autobuilders (must) give precedence to unstable over testing-proposed-updates. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
