On Fri, 18 Dec 2015 22:31:05 +0100, Robie Basak <[email protected]>
wrote:
(removing Jonathan specifically; the debian-release ML should be
sufficient as this is for the release team generally now)
On Mon, Dec 14, 2015 at 05:45:24PM +0000, Robie Basak wrote:
Can I ask that this request (for the release team to make a decision
between the choices I outlined[1]) be tabled again at the IRC meeting I
understand will be taking place this Wednesday? Please let me know if
there's anything I can do to help you make a decision on this.
Following up, here's a summary of the outcome from the meeting
yesterday. There is also a full log[1] and the previous meeting[2] from
23 September is also relevant.
Thanks for attending the meeting and for the summary, Robie! Like you, I'm
on vacation and have little opportunity to handle this until January. But
I thought I'd throw in a request for a bit more information on one of the
points:
20:12:56 <pochu> 2- no disclosure of security issues w/ patches
I know we are a bit tight with info about security issues upstream, but
all security bugfixes are available at
https://github.com/mysql/mysql-server as individual commits, and a list of
CVEs fixed is reported quarterly according to a published schedule.
Apparently that's not enough.
I fix the occasional security bug myself, but in the day to day work, I'm
not involved in handling CVEs etc., so I need some more details about what
Debian thinks is missing. It's hard for me to start a good discussion
upstream without fully understanding the issue. Can someone (e.g., the
security team?) please explain to me exactly what's requested and how
you're expecting to use the information? Can Debian handle information
given under NDA, or must all security bug info be public? When I
understand the problem, I can pull together the right people upstream and
see what we can do to fix it.
Merry Christmas,
Norvald H. Ryeng
