[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bullseye / libgdbm6:amd64 is a catastrophgy

On Fri, Aug 25, 2023 at 11:02:35PM -0400, Chris Frey wrote:
> On Fri, Aug 25, 2023 at 07:02:07AM -0400, Roberto C. Sánchez wrote:
> > To claim that "because this bug affects me, it *must* be
> > fixed, even when it does not meet the criteria for a normal security bug
> > and when the maintainer thinks there is a risk of breaking working
> > configurations for other users" is somewhat inconsiderate of others and
> > shows a disregard for the rather robust process that we try to utilize
> > to ensure that we properly balance the needs of everyone involved.
> 
> I don't think that's the claim, to be fair.
> 
> It's more:
> 
> 	Release		gdbm version	Status
> 	-----------	-------------	--------------
> 	Buster		1.18		no pre-read feature
> 	Bullseye	1.19		pre-read added, no way to disable it
> 	Bookworm	1.20		reverted back to default behaviour,
> 					added GBM_PREREAD to enable it
> 
> It's a regression in upstream, which upstream agreed with, and upstream
> fixed it.  

That said, it changes nothing of the things that I pointed out. Whether
it is a new bug, regression, or whatever originating from upstream, the
point is that it works in a particular way in the version that shipped
with the release of bullseye. The concern of the maintainer is that
applying upstream's change risks breaking other working configurations.

> The question is how to get the benefits to Bullseye users.
> 
It seems like if there were a way to get the new upstream release into
bullseye that it would address the issue. However, while applying the
patch to 1.19 has risks, updating to 1.20 almost certainly has other
risks. Even if it can be proven to be a risk-free change, there are very
few packages which fall into the category of "circumstances around the
package are such that new upstream releases are allowed into the stable
releases". Given the reverse dependencies of this package, that seems
like an unlikely occurrence here.

> 
> On Fri, Aug 25, 2023 at 01:41:36PM +0200, Christopher Huhn wrote:
> > A backport of the bookworm package would be my way to go, I guess.
> 
> This is probably the easiest path, if someone can upload it to
> debian backports for Marc.
> 
However, do keep in mind that the -backports repo is not supported by
the LTS team. That is to say, once bullseye passes to LTS, there will be
no further updates to packages in bullseye-backports. In the event that
there is a concern that this package might be affected by a security
vulnerability that needs to be patched during the LTS lifespan, it is
best to plan for an upgrade to bookworm at the earliest convenience.

Regards,

-Roberto

-- 
Roberto C. Sánchez
Reply to: