Hi Bernd Zeimetz <bzed@debian.org> writes:
Hi, On 4/12/20 5:55 AM, Ben Hutchings wrote:Note that the fix for CVE-2018-1128 requires an incompatible change to the authentication protocol, which means both clients and servers would need to be updated (if authentication is actually used). I backported the required changes in the Linux kernel's ceph client as far as 4.9, but introduced a bug in the process (since fixed). At that point I decided not to backport them any further, but can have a go if someone sets up an updated server to test against.I'd rather remove ceph from oldstable instead of trying to fix that bug there. Even in stable, the state of ceph is not such a good one - I've asked the release team about updating ceph in stable (as it collected a huge number of bugs) - #948375 - unfortunately without reply. Ceph point releases usually have a huge number of changes as it is a very actively maintained and developed project..
I agree with Bernd here. In the past it proved to be increasingly difficult over time to backport security fixes for older versions. This is also the reason why we did a Ceph point release update to 10.2.11 while Jessie was still stable. Since then upstream stopped to support the 10.2. (Jewel) release. The risk of introducing new bugs when just backporting selected commits from upstream is quite high.
I tried to convince the release team in the past to be able to regularly update Ceph to newer point releases like the Linux kernel and PostgreSQL do. But never got an ACK on this.
So until we find a solution for that, I don't even think that ceph should be part of buster :(
That would be really sad. Gaudenz -- PGP: 836E 4F81 EFBB ADA7 0852 79BF A97A 7702 BAF9 1EF5
Attachment:
signature.asc
Description: PGP signature