Re: EOL'ing freerdp (v.1.1) for jessie and stretch
On 01/06/2020 14:17, Holger Levsen wrote:
> On Mon, Jun 01, 2020 at 10:55:02AM +0000, Mike Gabriel wrote:
>> Triaging and patch-backporting for FreeRDP (v1.1) will mean a considerable
>> effort. IMHO, we should think about avoiding this.
> what does 'considerable effort' translate to?
> without knowing that, it's a bit hard to comment.
>> With the end of jessie LTS and the upcoming of stretch LTS, I'd like to
>> propose the following changes for FreeRDP in old versions of Debian:
>> * EOL freerdp 1.1 for jessie (E)LTS
>> -> impacts: jessie ELTS won't have any version of FreeRDP
>> * consider EOL'ing freerdp 1.1 for stretch LTS
>> -> impacts: ltsp-client (easy to resolve, it can use freerdp2)
>> -> impacts: medusa (resolve by dropping freerdp support)
>> -> impacts: vlc-plugin-access-extra (drop freerdp support)
> fine by me (despite the comment above!), if you decide to do so, please also
> document this in debian-security-support.git - I'll handle d-s-s uploads then.
AFAICS most issues are minor (OOB read) and need not be fixed urgently;
the proposed changes impact users, multiple packages, and involve
backports / break stability.
Candid question: what would be the downsides/limitations of fixing the
few medium/high vulnerabilities in freerdp and leave it that way?