[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Supporting unbound in stretch by upgrading to 1.9


On 20/01/2021 10:32, Robert Edmonds wrote:
Raphael Hertzog wrote:
On Tue, 19 Jan 2021, Robert Edmonds wrote:
There is an unfixed issue in Unbound 1.9.0 (#962459 / #973052) that
affects some users (I have not been able to reproduce it). Upstream has
invested some time in helping the Debian maintainers track down
potential combinations of commits from later releases that may be
related to the issue, but we were not able to produce a working,
targeted fix. I would prefer that 1.9.0 not be exposed to more Debian
users, especially a combination of stretch's libevent and buster's
unbound that AFAIK has not been tested before.

Really what this means is that we need to fix unbound in buster before we
can resurrect support in stretch.

I have read the history of the two bugs and at this point I would suggest
to create a package of the latest 1.9.x and ask the tester in #962459
if that versions fixes the issue, since we have not managed to cherry-pick
a working set of commits.

Then depending on the result, work with the release team to release
that version in buster (or possibly 1.10 if really the last 1.9.x doesn't
work reliably either).

Concerning testing of unbound 1.9.x with the libevent 2.0 in stretch,
well, we have LTS users of unbound so we can ask them to test the updated

I would be OK with promoting an unbound package based on 1.9.6-2 (the
last 1.9.x package) to buster, if that's OK with the release team.
There were a lot of post-buster packaging changes in 1.9.x, though,
which IMO are not harmful for stable/oldstable. If the release team is
not amenable to that, the alternative would be to take the packaging
from buster's 1.9.0-2 and import the 1.9.6 upstream release, though I'm
not sure how we would version such a package. Maybe
1.9.0-2+deb10uX+really1.9.6, and then your backport to stretch would be

There is some precedent for updating the unbound package to a newer
upstream release in an already released Debian suite. Lenny was updated
from 1.0.2 to 1.4.6 due to (IIRC) upstream supportability issues in
stable and at the approval of the security team, and that was probably a
bigger jump in terms of upstream code changes than going from 1.9.0 to

Reading the exchanges, a few quick questions:

- unbound does not seem to maintain any stable/parallel branches.
Before we start, does it make sense to bump to 1.9.6/1.10.1, or will we get the same supportability issue (stability+security) right after? (AFAIU upstream only supports the latest release, and I read from Robert about some users preferring buster-backports')

- Do we/I need to also coordinate with the Debian Release Team
(in addition to the Debian Security Team)?

Sylvain Beucler
Debian LTS Team

Reply to: