[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: salt removed from mirror

On Fri, Aug 09, 2024 at 03:52:01PM +0000, Johannes Drexl wrote:
> Am Freitag, dem 09.08.2024 um 15:27 +0100 schrieb Simon McVittie:
> > On Fri, 09 Aug 2024 at 13:31:02 +0000, Johannes Drexl wrote:
> > > I was under the impression that the software stack of a
> > > stable/oldstable release does not change anymore (safe for security
> > > updates and suchlike), so I'm pretty flabberghasted by this. More
> > > so as
> > > I cannot find a mention about this on debian-devel, where I would
> > > assume such decisions would be discussed prior to the actual doing.
> > > 
> > > Can somebody please shed some light on this?
> > 
> > debian-devel primarily deals with development of the next version
> > of Debian, and the (old)stable releases are managed by the stable
> > release team. Removals and other more major changes in (old)stable
> > are intentionally rare, but can happen.
> > 
> > In the case of salt, it was removed from Debian 11 in the 11.10 point
> > release, as announced in
> > <https://lists.debian.org/debian-stable-announce/2024/06/msg00000.html> .
> > 
> > This was requested by a security team member in
> > <https://bugs.debian.org/1070175>, prompted by its removal from
> > unstable in <https://bugs.debian.org/1069654>, which appears to
> > have been caused by not having any volunteers willing to take
> > responsibility for maintaining this security-sensitive package.
> > 
> While I get the idea behind this, having salt (as a machine management
> package) removed from the official mirror in a stable release strikes
> me a bit odd - the already installed packages won't be removed, and as
> it is a management package, one could expect this gets installed in
> automated setups. This wouldn't be a problem as such, if the preseed
> file would accept a multitude of mirrors, alas all tests I've done in
> the past only allowed for a single source, and using late_command in
> the preseed to first inject an additional mirror and then install the
> package from there did not work as far as I remember.
> 
> It seems I need to fall back to an old version of mirror & PXE package
> for the installation.
> 
> > Older versions of the salt package continue to be available from
> > <https://snapshot.debian.org/package/salt/> but will not receive any
> > security or bug-fix updates. The upstream developers have their own
> > newer Debian-compatible packages available,
> > https://docs.saltproject.io/salt/install-guide/en/latest/topics/install-by-operating-system/debian.html
> > (these are not supported by the Debian project).
> > 
> > (Also note that Debian 11 comes to the end of its normal support
> > lifetime in a few days' time, on 2024-08-14, although the Debian
> > LTS subproject plans to provide limited security maintenance for an
> > additional 2 years.)
> > 
> > smcv
> Thx, I'm aware I'm on oldstable here, but replacing old systems is
> sometimes not as fast as I'd hope it'd be ;)


Yes, there is (sadly) some consensus that somebody else should do it.

Thing that makes me wonder is how to appreciate those that
take care of salt-stack in Debian.


Groeten
Geert Stappers
-- 
Silence is hard to parse
Reply to: