Bug#959723: RM: matrix-synapse/0.99.2-6 -- ROM; security issues; obsolete version

[Andrej Shadura <andrew@shadura.me>]

On Mon, May 04, 2020 at 03:35:25PM +0200, Julien Cristau wrote:
> On Mon, May 04, 2020 at 03:30:53PM +0200, Andrej Shadura wrote:
> > Synapse 0.99 was never meant to be a properly usable release in buster,
> > and it was only included as some sort of a plug to make upgrades a tiny
> > bit easier for users — they were supposed to upgrade the package to the
> > version from backports almost immediately.
> > 
> > However, the time when this version was usable has definitely passed. It
> > has a bunch of security issues fixed in the newer releases, and the
> > effort of porting them back is significant, while most probably everyone
> > running synapse on buster is on the version from backports or the
> > version from the upstream.
> > 
> > Please remove matrix-synapse from buster only.

> That is terrible practice.  Shipping something in stable is a commitment
> to support it throughout the release's lifetime.  Removing it from
> stable doesn't remove it from user systems, doesn't communicate to them
> that it is not fit for purpose, or anything like that.  Please
> reconsider your strategy here.

I think in this case it’s okay because of this NEWS entry:

https://sources.debian.org/src/matrix-synapse/0.99.2-6/debian/NEWS/

-- 
Cheers,
  Andrej