Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On 2017-10-31 15:45:31, Raphael Hertzog wrote: > On Tue, 31 Oct 2017, Antoine Beaupré wrote: >> I'll take care of it then. Should I just reuse the old DLA id? or >> simply mention the old DLA id in the announcement? Or mention all the >> CVEs fixed in the old DLA in the new DLA? >> >> Not actually sure how to merge this. :) > > You prepare your DLA like usual but then you also document the CVE > fixed by the old DLA in the mail sent to debian-lts-announce. But when > you generate your template with bin/gen-DLA you only pass the newly fixed > CVE (to not fix the same CVE twice in data/DLA/list). Excellent, this will come out this afternoon once the package is accepted. A. -- A genius is someone who discovers that the stone that falls and the moon that doesn't fall represent one and the same phenomenon. - Ernesto Sabato
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On Tue, 31 Oct 2017, Antoine Beaupré wrote: > I'll take care of it then. Should I just reuse the old DLA id? or > simply mention the old DLA id in the announcement? Or mention all the > CVEs fixed in the old DLA in the new DLA? > > Not actually sure how to merge this. :) You prepare your DLA like usual but then you also document the CVE fixed by the old DLA in the mail sent to debian-lts-announce. But when you generate your template with bin/gen-DLA you only pass the newly fixed CVE (to not fix the same CVE twice in data/DLA/list). Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On 2017-10-31 14:13:13, Raphael Hertzog wrote: > On Tue, 31 Oct 2017, Antoine Beaupré wrote: >> > Please send it again and add a small sentence explaining that you send an >> > old advisory that never made it to the list... IOW if you expect >> > confusion, add an explanation to clear it up. >> >> I will be looking at a GM update later today - should i merge that >> announcement in? > > That also works, sure. I'll take care of it then. Should I just reuse the old DLA id? or simply mention the old DLA id in the announcement? Or mention all the CVEs fixed in the old DLA in the new DLA? Not actually sure how to merge this. :) A. -- If you have come here to help me, you are wasting our time. But if you have come because your liberation is bound up with mine, then let us work together.- Aboriginal activists group, Queensland, 1970s
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On Tue, 31 Oct 2017, Antoine Beaupré wrote: > > Please send it again and add a small sentence explaining that you send an > > old advisory that never made it to the list... IOW if you expect > > confusion, add an explanation to clear it up. > > I will be looking at a GM update later today - should i merge that > announcement in? That also works, sure. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On 2017-10-31 11:56:31, Raphael Hertzog wrote: > Hi, > > On Sat, 28 Oct 2017, Brian May wrote: >> I didn't realize until after I uploaded the newer version associated >> with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by >> DLA-1140-1. >> >> Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still >> didn't. I am concerned if I send DLA-1130-1 now that DLA-1140-1 has been >> published it would cause confusion. > > Please send it again and add a small sentence explaining that you send an > old advisory that never made it to the list... IOW if you expect > confusion, add an explanation to clear it up. I will be looking at a GM update later today - should i merge that announcement in? > But not sending the announce is not a good option IMO. FWIW checking that the > announce went through is part of my routine for each DLA. Agreed. What I do is that I have the DLA template in my secure-testing SVN checkout after I sent it, and leave it there until I have verified it shows up in the archives. (Or that I received it, but my email client (notmuch) strangely makes that quite difficult, as it deduplicates multiple messages with the same message ID, so I can't really tell if I actually received my own messages! That will fortunately be fixed in the 0.26 release though... ) A. -- Il n'existe aucune limite sacrée ou non à l'action de l'homme dans l'univers. Depuis nos origines nous avons le choix: être aveuglé par la vérité ou coudre nos paupières. - [no one is innocent]
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
Hi, On Sat, 28 Oct 2017, Brian May wrote: > I didn't realize until after I uploaded the newer version associated > with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by > DLA-1140-1. > > Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still > didn't. I am concerned if I send DLA-1130-1 now that DLA-1140-1 has been > published it would cause confusion. Please send it again and add a small sentence explaining that you send an old advisory that never made it to the list... IOW if you expect confusion, add an explanation to clear it up. But not sending the announce is not a good option IMO. FWIW checking that the announce went through is part of my routine for each DLA. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
Antoine Beaupréwrites: > Somehow the DLA-1130-1 that was associated with this upload never made > it to the mailing list archive here: Yes, I commented on that in a recent email. I didn't realize until after I uploaded the newer version associated with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by DLA-1140-1. Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still didn't. I am concerned if I send DLA-1130-1 now that DLA-1140-1 has been published it would cause confusion. -- Brian May
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On 2017-10-27 19:05:07, Hugo Lefeuvre wrote: > Hi Antoine, Brian, > >> Somehow the DLA-1130-1 that was associated with this upload never made >> it to the mailing list archive here: >> >> https://lists.debian.org/debian-lts-announce/2017/10/ >> >> I also didn't receive a copy, so I suspect it was never sent. >> >> A. >> >> PS: I realized this while reviewing my own announcements - it seems I >> failed to sent DLA-1144-1 myself... maybe we need better mechanisms to >> catch those? > > Same for me, I had to send DLA 1133-1 three times before it reached the > list. Like if the server would silently reject my emails. I wouldn't > have noticed it without Ola's help. My email finally got through today. According to #debian-lists, there was an issue with the signature verification software, which was fixed yesterday. In my case, I also previously had issues because I added a new signing subkey that took some time to propagate across Debian's infrastructure. The main issue is we have currently no way of noticing when a number is skipped. It would be nice to automate this stuff somehow, yet I can't quite think of how... Maybe by adding (signed) DLA files themselves into security tracker and have *that* send out the announcements? A. -- That's one of the remarkable things about life: it's never so bad that it can't get worse. - Calvin
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
Hi Antoine, Brian, > Somehow the DLA-1130-1 that was associated with this upload never made > it to the mailing list archive here: > > https://lists.debian.org/debian-lts-announce/2017/10/ > > I also didn't receive a copy, so I suspect it was never sent. > > A. > > PS: I realized this while reviewing my own announcements - it seems I > failed to sent DLA-1144-1 myself... maybe we need better mechanisms to > catch those? Same for me, I had to send DLA 1133-1 three times before it reached the list. Like if the server would silently reject my emails. I wouldn't have noticed it without Ola's help. Cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA signature.asc Description: PGP signature
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
Somehow the DLA-1130-1 that was associated with this upload never made it to the mailing list archive here: https://lists.debian.org/debian-lts-announce/2017/10/ I also didn't receive a copy, so I suspect it was never sent. A. PS: I realized this while reviewing my own announcements - it seems I failed to sent DLA-1144-1 myself... maybe we need better mechanisms to catch those? -- All governments are run by liars and nothing they say should be believed. - I. F. Stone