Am Freitag, dem 09.08.2024 um 15:27 +0100 schrieb Simon McVittie: > Caution: This is an external sender. Please take care when clicking > links or opening attachments. When in doubt, contact the IT > Department > > > > On Fri, 09 Aug 2024 at 13:31:02 +0000, Johannes Drexl wrote: > > I was under the impression that the software stack of a > > stable/oldstable release does not change anymore (safe for security > > updates and suchlike), so I'm pretty flabberghasted by this. More > > so as > > I cannot find a mention about this on debian-devel, where I would > > assume such decisions would be discussed prior to the actual doing. > > > > Can somebody please shed some light on this? > > debian-devel primarily deals with development of the next version > of Debian, and the (old)stable releases are managed by the stable > release team. Removals and other more major changes in (old)stable > are > intentionally rare, but can happen. > > In the case of salt, it was removed from Debian 11 in the 11.10 point > release, as announced in > < > https://lists.debian.org/debian-stable-announce/2024/06/msg00000.html> > . > > This was requested by a security team member in > <https://bugs.debian.org/1070175>, prompted by its removal from > unstable > in <https://bugs.debian.org/1069654>, which appears to have been > caused by > not having any volunteers willing to take responsibility for > maintaining > this security-sensitive package. > While I get the idea behind this, having salt (as a machine management package) removed from the official mirror in a stable release strikes me a bit odd - the already installed packages won't be removed, and as it is a management package, one could expect this gets installed in automated setups. This wouldn't be a problem as such, if the preseed file would accept a multitude of mirrors, alas all tests I've done in the past only allowed for a single source, and using late_command in the preseed to first inject an additional mirror and then install the package from there did not work as far as I remember. It seems I need to fall back to an old version of mirror & PXE package for the installation. > Older versions of the salt package continue to be available from > <https://snapshot.debian.org/package/salt/> but will not receive any > security or bug-fix updates. The upstream developers have their own > newer Debian-compatible packages available, > https://docs.saltproject.io/salt/install-guide/en/latest/topics/install-by-operating-system/debian.html > (these are not supported by the Debian project). > > (Also note that Debian 11 comes to the end of its normal support > lifetime > in a few days' time, on 2024-08-14, although the Debian LTS > subproject > plans to provide limited security maintenance for an additional 2 > years.) > > smcv Thx, I'm aware I'm on oldstable here, but replacing old systems is sometimes not as fast as I'd hope it'd be ;) BR JD
Attachment:
signature.asc
Description: This is a digitally signed message part