Re: security support in buster and the release notes

To: Paul Gevers <elbrus@debian.org>
Cc: Debian Security Team <team@security.debian.org>, release-notes@packages.debian.org, Debian release team <debian-release@lists.debian.org>
Subject: Re: security support in buster and the release notes
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Sat, 20 Apr 2019 23:07:34 +0200
Message-id: <[🔎] 20190420210734.GA22183@pisco.westfalen.local>
In-reply-to: <f1a737f3-b0d9-1111-f42e-bb10196b63f6@debian.org>
References: <f1a737f3-b0d9-1111-f42e-bb10196b63f6@debian.org>

Hi,

> I am reaching out to you to align on the security support that users can
> expect during the lifetime of buster and how this is covered in the
> release notes.
> 
> The release notes currently contain a section on "Limitations in
> security support", which currently covers:
>  * web browsers and their rendering engines
>  * ecosystem around libv8 and Node.js
> 
> Do these subjects still cover your current view of the support for
> buster. Especially about the second item I am not sure if it still
> applies (although I expect so).

webkit2gtk will be covered by security support in buster, this has been
sorted out with the maintainers (and primarily with Alberto), it has
worked fine for Ubuntu since their last release and I'm optimistic
it will also work out fine for Buster.

The various webkit forks in QT are still not sanely supportable,
but noone else including upstream really covers them with security
support, so I think these are fine to be simply listed in
src:debian-security-support, I'm not sure really warrant a further
callout in the release notes. Same for whatever version of mozjs
we'll ship in buster.

For Nodejs, upstream has fixed their processes and there are now
sensible long term branches which are updated in a professional manner,
so nodejs (and transitively the node-* packages) are properly supportable
(and we've also sorted out with Jememy and Xavier that they agree that
it's supportable). Further work needs to happen to trim down the
set of packages (there's a number of "upload once because I need this
as a build dep" kind of dead packages), but that can be dealt with after
the buster release.

libv8 in the form of src:libv8-3.14) is still a mess and won't be
part of buster anyway (maybe it can be built out of the libv8 copy
shipped by nodejs for bullseye).

I'll update debian-security-support in the next days to reflect all
that.

> Are there other concerns or warnings and
> should they already be mentioned in the release notes?

There has been no visible movement on the issues with Go as mentioned in
https://lists.debian.org/debian-release/2018/07/msg00002.html (and
this dates back much further, initial discussions were from 2016 or
earlier).

This is already an issue in Stretch (e.g. #922170), but will be much
worse in Buster, so unless someone reliably commits to work on
this ASAP the available options are to drop everything Go apart
from the toolchain packages from buster or exclude of all that mess
from security updates so that people know what they can expect.

> On top of the above questions, of course it would be great if you would
> check the wording of the current text [1].

Ack, I'll have a look in the next days.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Bug#928026: release-notes: document the state of security support for golang packages in Buster
  - From: Holger Levsen <holger@layer-acht.org>
- Re: security support for golang packages in Buster
  - From: Shengjing Zhu <zhsj@debian.org>

Prev by Date: Processed: Re: Bug#924974: unblock (pre-approval) or RM: epiphany-browser/3.32.1.2-2
Next by Date: Bug#922987: stretch-pu: package cernlib/20061220+dfsg3-4.3
Previous by thread: Re: security support in buster and the release notes
Next by thread: Bug#928026: release-notes: document the state of security support for golang packages in Buster
Index(es):
- Date
- Thread