[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#987353: CVE-2020-8903 CVE-2020-8907 CVE-2020-8933

On Mon, May 10, 2021 at 09:00:34PM +0200, Moritz Mühlenhoff wrote:
> > Hi, since this package was brought into Debian in ~2018, there have been
> > several transformations in the GCE guest software stack and thus the
> > current landscape is very different. Google doesn't actually maintain the
> > official Debian package and we're not sure who is, if anyone. The Google
> > provided packages are shipped separately and will override the Debian
> > package if you use them from our repositories. Please see either our Google
> > Cloud docs <https://cloud.google.com/compute/docs/images/guest-environment>
> > or github readme
> > <https://github.com/GoogleCloudPlatform/compute-image-packages> for info on
> > the packages we are maintaining and shipping for Debian systems and on the
> > base Google provided GCE Debian images. Unfortunately, we never did find a
> > DD sponsor to help maintain our guest packages in Debian on the cadence
> > that we needed. I would advocate for removing this package from Debian if
> > we can't find a set of maintainers.
> Hi Zach,
> as it stands google-compute-image-packages won't be part of the next Debian
> stable release. Givem the last upload was in Oct 2019 the package seems
> unmaintained anyway, so if noone steps up to maintain it in the next months
> it's probably best to remove it entirely.

If we ever want to get to a point where the Debian cloud team is able to
publish useful images to the Google cloud service, we'll need to get
this package into shape for inclusion in a stable release.  The lack of
good maintenance of packages such as this one is a big factor in us not
being able to do so.  The package is nominally maintained by the cloud
team, but none of the current members is active in working with it.

As there seems to be interest within some members of the Debian
community in having Debian-published images available for GCE, we should
try to solicit help with package maintenance before we kick it out for


Attachment: signature.asc
Description: PGP signature

Reply to: