On Tue, 22 May 2012, Mark A. Hershberger wrote:
This should be public in a couple of days, but if you want to look now:
Ah, thanks. Still waiting for my DD subscription.
How _does_ Mediawiki want to handle this? Personally, if I’m a packager of something, and that something has an identified security issue, I’d be glad if there were some sort of issue tracker with a reference to the CVE number, the commit(s) fixing it, and possible versions affected and commit(s) with a backported fix to versions currently supported by upstream, for adding to the packaged version. Tim Starling has referred me to the commits for the one bug I was unable to look at (and I was added to Cc for that bug in the meantime), thanks for that, so I could backport that to the MW we have in Debian.
Is there any interest from MW side to support a specific version (which would have to be released within the next two to three weeks) for a long(er) time? We’re probably talking three+ years here: a year until the release, plus two to three years until the next release. Of course, if we can do our share to backport fixes, sure, but help from actual developers would be better. I’m not very familiar with the code as is.
(Of course pending the mediawiki-math is missing issue; Roland is working on the FF upgrade and has asked for input in case you didn’t see the mail, but it appears that this is handled or will be handled soon, so one of the two reason for me to try to veto an MW upgrade is already gone. – On the other hand, I don’t really want to keep backporting to 1.15 for 3+ years either… so, Jonathan, what’s up with mediawiki-math?)
bye, //mirabilos