[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Security updates of ansible in buster and stretch

Hello Lee, hello security team,

I have been working on security updates of ansible in Stretch and my intention
was to fix the remaining issues in Buster as well. However testing those
upstream patches proved to be rather difficult in older releases. I believe it
is generally possible to fix most of the unresolved vulnerabilities with
targeted fixes but this requires some effort for both distributions. 

First of all, are there any plans to update Buster in the foreseeable future,
is anyone working on that right now?

I saw that newer versions of ansible were uploaded to stretch-, and buster-
backports? What do you think of updating ansible in oldstable and stable
instead, to fix the remaining security vulnerabilities properly?

How big is the risk of breaking existing installations of ansible in oldstable
and stable? I have successfully built ansible 2.9.16+dfsg-1.1 from Bullseye,
there is only a minor problem with building the documentation, and it seems the
same version should work in Stretch too.

All in all, we could try to backport the latest version to older stable
releases or we could walk a middle way and base the patches all on Buster or
the newer buster-backports version or something in between. This would
certainly reduce the maintenance costs in those older releases.

What are your thoughts?



Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: