security support in buster and the release notes

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

security support in buster and the release notes

Paul Gevers-4
Dear release team,

I am reaching out to you to align on the security support that users can
expect during the lifetime of buster and how this is covered in the
release notes.

The release notes currently contain a section on "Limitations in
security support", which currently covers:
 * web browsers and their rendering engines
 * ecosystem around libv8 and Node.js

Do these subjects still cover your current view of the support for
buster. Especially about the second item I am not sure if it still
applies (although I expect so). Are there other concerns or warnings and
should they already be mentioned in the release notes?

On top of the above questions, of course it would be great if you would
check the wording of the current text [1].

On behalf of the release team,
Paul

[1]
https://salsa.debian.org/ddp-team/release-notes/blob/master/en/issues.dbk#L215
(Line number where we are currently)


signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: security support in buster and the release notes

Paul Gevers-4
Hi all,

This is a kind ping for a reply. There was a note on IRC for a reply,
but I fear it was forgotten or ENOTIME.

On 31-03-2019 21:34, Paul Gevers wrote:

> Dear release team,
>
> I am reaching out to you to align on the security support that users can
> expect during the lifetime of buster and how this is covered in the
> release notes.
>
> The release notes currently contain a section on "Limitations in
> security support", which currently covers:
>  * web browsers and their rendering engines
>  * ecosystem around libv8 and Node.js
>
> Do these subjects still cover your current view of the support for
> buster. Especially about the second item I am not sure if it still
> applies (although I expect so). Are there other concerns or warnings and
> should they already be mentioned in the release notes?
>
> On top of the above questions, of course it would be great if you would
> check the wording of the current text [1].
>
> On behalf of the release team,
> Paul
>
> [1]
> https://salsa.debian.org/ddp-team/release-notes/blob/master/en/issues.dbk#L215
> (Line number where we are currently)
Paul


signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: security support in buster and the release notes

Moritz Mühlenhoff-2
In reply to this post by Paul Gevers-4
Hi,

> I am reaching out to you to align on the security support that users can
> expect during the lifetime of buster and how this is covered in the
> release notes.
>
> The release notes currently contain a section on "Limitations in
> security support", which currently covers:
>  * web browsers and their rendering engines
>  * ecosystem around libv8 and Node.js
>
> Do these subjects still cover your current view of the support for
> buster. Especially about the second item I am not sure if it still
> applies (although I expect so).

webkit2gtk will be covered by security support in buster, this has been
sorted out with the maintainers (and primarily with Alberto), it has
worked fine for Ubuntu since their last release and I'm optimistic
it will also work out fine for Buster.

The various webkit forks in QT are still not sanely supportable,
but noone else including upstream really covers them with security
support, so I think these are fine to be simply listed in
src:debian-security-support, I'm not sure really warrant a further
callout in the release notes. Same for whatever version of mozjs
we'll ship in buster.

For Nodejs, upstream has fixed their processes and there are now
sensible long term branches which are updated in a professional manner,
so nodejs (and transitively the node-* packages) are properly supportable
(and we've also sorted out with Jememy and Xavier that they agree that
it's supportable). Further work needs to happen to trim down the
set of packages (there's a number of "upload once because I need this
as a build dep" kind of dead packages), but that can be dealt with after
the buster release.

libv8 in the form of src:libv8-3.14) is still a mess and won't be
part of buster anyway (maybe it can be built out of the libv8 copy
shipped by nodejs for bullseye).

I'll update debian-security-support in the next days to reflect all
that.

> Are there other concerns or warnings and
> should they already be mentioned in the release notes?

There has been no visible movement on the issues with Go as mentioned in
https://lists.debian.org/debian-release/2018/07/msg00002.html (and
this dates back much further, initial discussions were from 2016 or
earlier).

This is already an issue in Stretch (e.g. #922170), but will be much
worse in Buster, so unless someone reliably commits to work on
this ASAP the available options are to drop everything Go apart
from the toolchain packages from buster or exclude of all that mess
from security updates so that people know what they can expect.

> On top of the above questions, of course it would be great if you would
> check the wording of the current text [1].

Ack, I'll have a look in the next days.

Cheers,
        Moritz

Reply | Threaded
Open this post in threaded view
|

Re: Bug#928026: release-notes: document the state of security support for golang packages in Buster

Holger Levsen-2
On Fri, Apr 26, 2019 at 10:29:58AM +0000, Holger Levsen wrote:
> Also, I believe this bug should be cloned and reassigned to
> src:debian-security-support as well, so it's also documented there. Will
> do so once the bug arrives back.

done, #928027 it is.


--
tschau,
        Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

signature.asc (849 bytes) Download Attachment