lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update doc

Browse Source
This commit is contained in:
Laurent Destailleur 2015-09-03 18:11:26 +02:00
parent 69a4e2cd95
commit 52aee5562f
1 changed files with 18 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
build/debian/README.howto
View File

@ -331,7 +331,7 @@ http://packages.qa.debian.org
Use this to move from unstable to testing.
reportbug -B debian
reportbug -B debian --smtphost=smtp.gmail.com:587 --smtpuser=xxxx --smtppasswd=yyyy --tls
Choose package "release.debian.org"
Then "unblock"
Then name of package "dolibarr"
@ -345,14 +345,25 @@ After discussion with ..., it appears that security holes are enough to request
Use this to request an update of a stable package
reportbug -B debian
reportbug -B debian --smtphost=smtp.gmail.com:587 --smtpuser=xxxx --smtppasswd=yyyy --tls
Choose package "release.debian.org"
Then "unblock"
Then name of package "dolibarr"
Fill message, for example:
"Please unblock package dolibarr
A security error CVE-2015-3935 was reported and is fixed into package 3.5.7.
Note that package 3.5.7 contains not only fixed for bugs reported to debian. It includes other fixes, but they are all related to stability or security,
so it is a better solution to validate this maintenance release than applying a patch of the only CVE-2015-3935.
After discussion with ..., it appears that security holes are enough to request this unblock request."
"
A security error CVE-2015-3935 was reported for Dolibarr ERP CRM package. This bug is fixed into official package 3.5.7 of Dolibarr.
Package 3.5.7 is a maintenance release compared to 3.5.5 and contains only fixes. But not only bugs reported to debian, it includes also other fixes (but they are all related to stability or security).
I think it is a better solution to validate this maintenance release based on the new upstream version of Dolibarr than applying a patch of the only CVE-2015-3935.
Pro are:
- It fixes all debian reported bugs (including security one)
- It fixes also stability bugs
- Patches were already tested because deployed and used by several thousands of users.
- It is easier for package maintener to include this official set of fixes than applying one patch after one patch for each debian report or backported each patch into a dedicated version.
- Debian maintenance version matches with official project maintenance version (better when all fixes are not related to the way the software is packaged)
Cons are:
- The patch include more than the only one security reported fxes
So I just need to know if it's ok to push such a version 3.5.7 (fixes for 3.5.* branch) instead of only one fix for only the few (the only) reported debian bugs,
since it provides more stability and is or me a more secured process.
"