[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: EOL'ing freerdp (v.1.1) for jessie and stretch

Hi,

On 01/06/2020 14:17, Holger Levsen wrote:
> On Mon, Jun 01, 2020 at 10:55:02AM +0000, Mike Gabriel wrote:
>> Triaging and patch-backporting for FreeRDP (v1.1) will mean a considerable
>> effort. IMHO, we should think about avoiding this.
> 
> what does 'considerable effort' translate to?
>  
> without knowing that, it's a bit hard to comment.
> 
>> With the end of jessie LTS and the upcoming of stretch LTS, I'd like to
>> propose the following changes for FreeRDP in old versions of Debian:
>>
>>   * EOL freerdp 1.1 for jessie (E)LTS
>>     -> impacts: jessie ELTS won't have any version of FreeRDP
>>
>>   * consider EOL'ing freerdp 1.1 for stretch LTS
>>     -> impacts: ltsp-client (easy to resolve, it can use freerdp2)
>>     -> impacts: medusa (resolve by dropping freerdp support)
>>     -> impacts: vlc-plugin-access-extra (drop freerdp support)
> 
> fine by me (despite the comment above!), if you decide to do so, please also
> document this in debian-security-support.git - I'll handle d-s-s uploads then.

AFAICS most issues are minor (OOB read) and need not be fixed urgently;
the proposed changes impact users, multiple packages, and involve
backports / break stability.

Candid question: what would be the downsides/limitations of fixing the
few medium/high vulnerabilities in freerdp and leave it that way?

Cheers!
Sylvain
Reply to: