Re: Should we give security support for squid when wheezy also has squid3?

To: Ola Lundqvist <opal@debian.org>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Should we give security support for squid when wheezy also has squid3?
From: Raphael Hertzog <hertzog@debian.org>
Date: Thu, 2 Jun 2016 09:18:41 +0200
Message-id: <[🔎] 20160602071841.GB8014@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Ola Lundqvist <opal@debian.org>, Debian LTS <debian-lts@lists.debian.org>
In-reply-to: <[🔎] CABY6=0=5Ci0Ys0ARrCDwU48eq4pE1PQqP9B4vmpTp7+QTMGU_g@mail.gmail.com>
References: <[🔎] CABY6=0=5Ci0Ys0ARrCDwU48eq4pE1PQqP9B4vmpTp7+QTMGU_g@mail.gmail.com>

On Wed, 01 Jun 2016, Ola Lundqvist wrote:
> As you can see from the below links, it is quite obvious that squid3
> is in better shape from a secuirty patching point of view compared to
> the squid package.
> https://security-tracker.debian.org/tracker/source-package/squid
> https://security-tracker.debian.org/tracker/source-package/squid3

We have opted to ignore a few issues, but that does not mean that
the squid package is in a bad shape.

> We can also see that a lot of effort has been put into the squid package
> considering the number of DLAs issued (16?) for this package.

Where do you see that? Over the lifetime of squeeze, we issued a single
DLA for squid and over the wheezy lifetime, we had one DSA up to now.

> I would like to question that we give support for the squid package
> considering that there is a squid3 package too in wheezy. Just as
> we do not support some earlier versions of the ruby packages.
> 
> I would like to request to mark the squid package as unsupported
> in the debian-security-support package.
> 
> What do you all think about this?

I'm opposed to this.  The squid package has not been so hard to support up
to now and there's no reason to drop it just because we have a newer
version available.

The reason we seek funding is to able to support all packages that are in
wheezy. Removing support for any package is a last resort and should only
be considered when you face problems that cannot be resolved.

The mere availability of some newer version is not a justification. I know
it's tempting at times, but we should avoid being lazy. In particular
since many of us are paid to work on this. It might be hard work to backport
a fix to squid 2.x, yes, but we should just do it.

> If you agree with me, do I simply upload a new version of
> the debian-security-support package or do I requiest that from someone
> else?

Usually we open a bug report against the package... some members of the
security/LTS team handle pending requests from time to time.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to:

Follow-Ups:
- Re: Should we give security support for squid when wheezy also has squid3?
  - From: Ola Lundqvist <opal@debian.org>

References:
- Should we give security support for squid when wheezy also has squid3?
  - From: Ola Lundqvist <opal@debian.org>

Prev by Date: Re: Should we give security support for squid when wheezy also has squid3?
Next by Date: HFS+ specific vulnerability
Previous by thread: Re: Should we give security support for squid when wheezy also has squid3?
Next by thread: Re: Should we give security support for squid when wheezy also has squid3?
Index(es):
- Date
- Thread