Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

2017-10-31 Thread Antoine Beaupré 
On 2017-10-31 15:45:31, Raphael Hertzog wrote:
> On Tue, 31 Oct 2017, Antoine Beaupré wrote:
>> I'll take care of it then. Should I just reuse the old DLA id? or
>> simply mention the old DLA id in the announcement? Or mention all the
>> CVEs fixed in the old DLA in the new DLA?
>> 
>> Not actually sure how to merge this. :)
>
> You prepare your DLA like usual but then you also document the CVE
> fixed by the old DLA in the mail sent to debian-lts-announce. But when
> you generate your template with bin/gen-DLA you only pass the newly fixed
> CVE (to not fix the same CVE twice in data/DLA/list).

Excellent, this will come out this afternoon once the package is
accepted.

A.

-- 
A genius is someone who discovers that the stone that falls and the
moon that doesn't fall represent one and the same phenomenon.
 - Ernesto Sabato

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

2017-10-31 Thread Raphael Hertzog 
On Tue, 31 Oct 2017, Antoine Beaupré wrote:
> I'll take care of it then. Should I just reuse the old DLA id? or
> simply mention the old DLA id in the announcement? Or mention all the
> CVEs fixed in the old DLA in the new DLA?
> 
> Not actually sure how to merge this. :)

You prepare your DLA like usual but then you also document the CVE
fixed by the old DLA in the mail sent to debian-lts-announce. But when
you generate your template with bin/gen-DLA you only pass the newly fixed
CVE (to not fix the same CVE twice in data/DLA/list).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

2017-10-31 Thread Antoine Beaupré 
On 2017-10-31 14:13:13, Raphael Hertzog wrote:
> On Tue, 31 Oct 2017, Antoine Beaupré wrote:
>> > Please send it again and add a small sentence explaining that you send an
>> > old advisory that never made it to the list... IOW if you expect
>> > confusion, add an explanation to clear it up.
>> 
>> I will be looking at a GM update later today - should i merge that
>> announcement in?
>
> That also works, sure.

I'll take care of it then. Should I just reuse the old DLA id? or
simply mention the old DLA id in the announcement? Or mention all the
CVEs fixed in the old DLA in the new DLA?

Not actually sure how to merge this. :)

A.

-- 
If you have come here to help me, you are wasting our time.
But if you have come because your liberation is bound up with mine, then
let us work together.- Aboriginal activists group, Queensland, 1970s

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

2017-10-31 Thread Raphael Hertzog 
On Tue, 31 Oct 2017, Antoine Beaupré wrote:
> > Please send it again and add a small sentence explaining that you send an
> > old advisory that never made it to the list... IOW if you expect
> > confusion, add an explanation to clear it up.
> 
> I will be looking at a GM update later today - should i merge that
> announcement in?

That also works, sure.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

2017-10-31 Thread Antoine Beaupré 
On 2017-10-31 11:56:31, Raphael Hertzog wrote:
> Hi,
>
> On Sat, 28 Oct 2017, Brian May wrote:
>> I didn't realize until after I uploaded the newer version associated
>> with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by
>> DLA-1140-1.
>> 
>> Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still
>> didn't. I am concerned if I send DLA-1130-1 now that DLA-1140-1 has been
>> published it would cause confusion.
>
> Please send it again and add a small sentence explaining that you send an
> old advisory that never made it to the list... IOW if you expect
> confusion, add an explanation to clear it up.

I will be looking at a GM update later today - should i merge that
announcement in?

> But not sending the announce is not a good option IMO. FWIW checking that the
> announce went through is part of my routine for each DLA.

Agreed. What I do is that I have the DLA template in my secure-testing
SVN checkout after I sent it, and leave it there until I have verified
it shows up in the archives.

(Or that I received it, but my email client (notmuch) strangely makes
that quite difficult, as it deduplicates multiple messages with the same
message ID, so I can't really tell if I actually received my own
messages! That will fortunately be fixed in the 0.26 release though... )

A.

-- 
Il n'existe aucune limite sacrée ou non à l'action de l'homme dans
l'univers. Depuis nos origines nous avons le choix: être aveuglé par
la vérité ou coudre nos paupières.
- [no one is innocent]

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

2017-10-31 Thread Raphael Hertzog 
Hi,

On Sat, 28 Oct 2017, Brian May wrote:
> I didn't realize until after I uploaded the newer version associated
> with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by
> DLA-1140-1.
> 
> Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still
> didn't. I am concerned if I send DLA-1130-1 now that DLA-1140-1 has been
> published it would cause confusion.

Please send it again and add a small sentence explaining that you send an
old advisory that never made it to the list... IOW if you expect
confusion, add an explanation to clear it up.

But not sending the announce is not a good option IMO. FWIW checking that the
announce went through is part of my routine for each DLA.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

2017-10-27 Thread Brian May 
Antoine Beaupré  writes:

> Somehow the DLA-1130-1 that was associated with this upload never made
> it to the mailing list archive here:

Yes, I commented on that in a recent email.

I didn't realize until after I uploaded the newer version associated
with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by
DLA-1140-1.

Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still
didn't. I am concerned if I send DLA-1130-1 now that DLA-1140-1 has been
published it would cause confusion.
-- 
Brian May

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

2017-10-27 Thread Antoine Beaupré 
On 2017-10-27 19:05:07, Hugo Lefeuvre wrote:
> Hi Antoine, Brian,
>
>> Somehow the DLA-1130-1 that was associated with this upload never made
>> it to the mailing list archive here:
>> 
>> https://lists.debian.org/debian-lts-announce/2017/10/
>> 
>> I also didn't receive a copy, so I suspect it was never sent.
>> 
>> A.
>> 
>> PS: I realized this while reviewing my own announcements - it seems I
>> failed to sent DLA-1144-1 myself... maybe we need better mechanisms to
>> catch those?
>
> Same for me, I had to send DLA 1133-1 three times before it reached the
> list. Like if the server would silently reject my emails. I wouldn't
> have noticed it without Ola's help.

My email finally got through today. According to #debian-lists, there
was an issue with the signature verification software, which was fixed
yesterday.

In my case, I also previously had issues because I added a new signing
subkey that took some time to propagate across Debian's infrastructure.

The main issue is we have currently no way of noticing when a number is
skipped. It would be nice to automate this stuff somehow, yet I can't
quite think of how... Maybe by adding (signed) DLA files themselves into
security tracker and have *that* send out the announcements?

A.
-- 
That's one of the remarkable things about life: it's never so bad that
it can't get worse.
- Calvin

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

2017-10-27 Thread Hugo Lefeuvre 
Hi Antoine, Brian,

> Somehow the DLA-1130-1 that was associated with this upload never made
> it to the mailing list archive here:
> 
> https://lists.debian.org/debian-lts-announce/2017/10/
> 
> I also didn't receive a copy, so I suspect it was never sent.
> 
> A.
> 
> PS: I realized this while reviewing my own announcements - it seems I
> failed to sent DLA-1144-1 myself... maybe we need better mechanisms to
> catch those?

Same for me, I had to send DLA 1133-1 three times before it reached the
list. Like if the server would silently reject my emails. I wouldn't
have noticed it without Ola's help.

Cheers,
 Hugo

-- 
 Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA


signature.asc
Description: PGP signature

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

2017-10-27 Thread Antoine Beaupré 
Somehow the DLA-1130-1 that was associated with this upload never made
it to the mailing list archive here:

https://lists.debian.org/debian-lts-announce/2017/10/

I also didn't receive a copy, so I suspect it was never sent.

A.

PS: I realized this while reviewing my own announcements - it seems I
failed to sent DLA-1144-1 myself... maybe we need better mechanisms to
catch those?
-- 
All governments are run by liars and nothing they say should be
believed.
   - I. F. Stone