On Tue, Mar 21, 2017 at 03:30:43AM +0100, John Darrington wrote:
> On Mon, Mar 20, 2017 at 10:12:40PM -0400, Leo Famulari wrote:
> I did try that too.  Unfortunately the Debian patch seems to have combined some non-CVE
> fixes into the same patch AND that patch is dependendent upon some other unrelated patches.

Bah.

> I probably could with a lot of trial and error make a patch which works, but IMO that
> defeats the purpose.  I security patch should be A) as simple as possible; B) not 
> contain any unrelated fixes; and C) prepared by someone who knows what she is doing.

Indeed.

>      Or, we could try building from an arbitrary Git commit.
> 
> Yes. That is the other option -  I think it might be a what we'll have to do.

Okay, let us know how it goes.