[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Closing of buster-backports?

I know I'm a bit late here but I should explain my case to serve as a
data point for future decisions regarding backports.

We ship curl 7.74.0-1.2~bpo10+1 on buster-backports.
Bullseye currently has 7.74.0-1.3+deb11u7.

There are 20 CVE fixes between those two versions (besides other
fixes), I could fix all of those with a simple rebuild for
buster-backports (same package version), but that doesn't seem
possible anymore.

These CVE fixes can't land on buster directly as it has an older
version of curl, and even if the package on main is fixed, the one on
bpo is left vulnerable.

Users of buster who would like to use buster-backports are risking the
impact of these 20 CVEs due to the fact that we don't allow uploads

I do understand it takes some effort to keep buster-backports alive
and that not everyone will keep their packages up-to-date (at least
I'm paying close attention to curl's CVEs).
I'm not pushing for people to be required to maintain buster-bpo
alive, just wanted to give a datapoint on how useful it would have
been in the case of curl.

This also lead me to think it would be great to have something looking
into every stable/security upload and checking if there's a bpo
package which should get the same changes (It seems safe to say every
stable/security uploads should go to bpo if there's a package

[0] In some cases the bpo packages need changes to accommodate for the
older base, but these deltas should stay the same in the new rebuild
in 99% of the cases.

Samuel Henrique <samueloph>

Reply to: