Drop support for libqb?
In recent days I made an attempt at backporting fixes made upstream in
libqb to address CVE-2019-12779. I requested a review from upstream in
the related GitHub issue .
The essence of the discussion is that some important parts of the
upstream changes do not apply to the libqb in Jessie, because libqb in
Jessie is considerably older than the releases for which upstream has
provided a fix.
Chris and Brian have both made assessments of the degree of
vulnerability in libqb . The comments from upstream appear to be in
line with those observed by Chris and Brian. That said, Ferenc Wágner,
who is the current maintainer of libqb in Debian and also has
contributed upstream joined the conversation. He asked what packages
depend on libqb. I must confess that it never even occurred to me to
look. The answer is that no packages depend on libqb in Jessie, making
it a leaf package.
Based on that and the vast differences between libqb 0.11.1, in Jessie,
and 1.0.5, in which the fixes have been made available, Ferenc's
assessment, and mine, is that additional effort on this package would be
a waste. From Ferenc's point of view, anybody on such an old release of
Debian would have used 0.17.2 or 1.0.1 from jessie-backports. Neither
of those will be updated by the security team. Updating to a current
upstream release would be low risk from the standpoint of it being a
leaf package, but that does not seem right either.
With that in mind, does this seem like a package for which we should
declare the end of support?
Roberto C. Sánchez