[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#987353: CVE-2020-8903 CVE-2020-8907 CVE-2020-8933

On 2021-05-10 12:16:09, Noah Meyerhans wrote:
> On Mon, May 10, 2021 at 09:00:34PM +0200, Moritz Mühlenhoff wrote:
> > > Hi, since this package was brought into Debian in ~2018, there have been
> > > several transformations in the GCE guest software stack and thus the
> > > current landscape is very different. Google doesn't actually maintain the
> > > official Debian package and we're not sure who is, if anyone. The Google
> > > provided packages are shipped separately and will override the Debian
> > > package if you use them from our repositories. Please see either our Google
> > > Cloud docs <https://cloud.google.com/compute/docs/images/guest-environment>
> > > or github readme
> > > <https://github.com/GoogleCloudPlatform/compute-image-packages> for info on
> > > the packages we are maintaining and shipping for Debian systems and on the
> > > base Google provided GCE Debian images. Unfortunately, we never did find a
> > > DD sponsor to help maintain our guest packages in Debian on the cadence
> > > that we needed. I would advocate for removing this package from Debian if
> > > we can't find a set of maintainers.
> > 
> > Hi Zach,
> > as it stands google-compute-image-packages won't be part of the next Debian
> > stable release. Givem the last upload was in Oct 2019 the package seems
> > unmaintained anyway, so if noone steps up to maintain it in the next months
> > it's probably best to remove it entirely.
> If we ever want to get to a point where the Debian cloud team is able to
> publish useful images to the Google cloud service, we'll need to get
> this package into shape for inclusion in a stable release.  The lack of
> good maintenance of packages such as this one is a big factor in us not
> being able to do so.  The package is nominally maintained by the cloud
> team, but none of the current members is active in working with it.

I hope that we're be able to change it, but for me fundamental question is if
Google is interested in participating in effort to keep those packages in
Debian main and if so what resources can be committed to do so.
From my side I can say that I'll try to find time to work on the relevant
packages or to sponsor uploads if somebody else want to take on this task.

So for me fist step for restarting this work would be to have a conversation
with Zach about agreeing what need to be done, how are we going to do it and
what commitments are we going to put in place to make it relevant in the long

> As there seems to be interest within some members of the Debian
> community in having Debian-published images available for GCE, we should
> try to solicit help with package maintenance before we kick it out for
> good.

Thanks Noah for motivating me to reply to this email. I think this is worthy cause
thus I hope we can have sorted without removing those packages from Debian.

|_|0|_|                                                  |
|_|_|0|                  "Panta rei"                     |
|0|0|0|             -------- kuLa --------               |

gpg --keyserver pgp.mit.edu --recv-keys 0x686930DD58C338B3
3DF1  A4DF  C732  4688  38BC  F121  6869  30DD  58C3  38B3

Attachment: signature.asc
Description: PGP signature

Reply to: