On Thu, 13 Aug 2009 17:24:23 +0200 Nico Golde wrote: >> P.S. by fixing bugs I meant in unstable > >Just realized that this may sound a bit harsh. Sorry. But >this is really not the place where help is needed, picking >up upstream security patches and applying them isn't the >hard part. But there are a lot of bugs in the tracker which >need actually people to work on fixes.
obviously; the patch and package were pretty straightforward (and i'm sure most of these things are), but since you gave me such a hard time i decided to fix something that needed fixing; and the discussion the last few days made it look like libxml was not going to get addressed. my interest is in a secure stable (and oldstable) release and not so much unstable; hence i don't want to work on that. there are still a significant number of unadressed issues in the stable releases right now. i would like to be permitted to apply patches and create packages for you for those releases. i have generated a patch for poppler, but not a package, and i guess that isn't enough to be useful. so i will generate a package for that and packages for other issues in the future. i am also interested in making sure all security issues are known and triaged, which is a non-trivial task in and of itself. it's straightforward when issues trickle through the cve list, but less so when issues are disclosed to the public on other lists, but fall through the cracks; which is what mostly i have been concerned with. i would hope that this is helpful. the alternative is potentially never knowing about the flaw and leaving the hole open indefinately (if it never gets a cve). > Also a small comment: > --- libxml-1.8.17/debian/changelog > +++ libxml-1.8.17/debian/changelog > @@ -1,3 +1,9 @@ > +libxml (1:1.8.17-15) oldstable; urgency=low > + > + * apply patches for CVE-2009-2414 and CVE-2009-2416 > + > + -- Michael Gilbert <[email protected]> Wed, 12 Aug 2009 17:28:31 > -0400 > > wrong distribution line, wrong version number and wrong urgency, the latter is > just cosmetical. thanks for the hints; i will do better next time. mike _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
