Comment 7 for bug 1004834

Hello Jamie,

I don't see any reference to DEP3 in your wiki page and even if it were there it doesn't seem like a good reason to reject changes (after all in Debian DEP3 is not a requirement, nor is it (AFAICR) mentioned in Policy at all yet). As for the source of the commits, the updates are based on rolled up commits from upstream. Note that I'm acting as the Debian maintainer of these packages, not an Ubuntu developer, so I was hoping that an Ubuntu developer would be able to make any fine tweaks to my submissions before uploading them to Ubuntu. There's only so much energy I have when it comes to rolling updates for Ubuntu, especially when it's not clear that they will ever get released (#750339) .

As for your question about the September regression: yes that should be applied, although it is a fairly minor regression compared to the other two, which as you have noticed were included.

As for the delay on this bug report - perhaps the bug system could be improved so that the security team are told about issues tagged as security issues?

There has been another round of updates from Best Practical (http://blog.bestpractical.com/2012/10/security-vulnerabilities-in-rt.html); they are available in Debian squeeze and the patch round-ups are at http://download.bestpractical.com/pub/rt/release/security-2012-10-25.tar.gz .

Please help me decide whether it's a good use of my time to submit updates for the latest issues based on the work I've already done in Debian.

Lastly, I notice that this bug was assigned to me, and then assigned to Marc instead. Please let me know the implications of this; is there work ongoing already? I don't want to duplicate work unnecessarily.