Re: Supporting unbound in stretch by upgrading to 1.9

To: Markus Koschany <apo@debian.org>
Cc: debian-lts <debian-lts@lists.debian.org>, team <team@security.debian.org>
Subject: Re: Supporting unbound in stretch by upgrading to 1.9
From: Robert Edmonds <edmonds@debian.org>
Date: Sat, 6 Feb 2021 19:46:22 -0500
Message-id: <[🔎] YB84XqgWM9HHcqJf@mycre.ws>
In-reply-to: <[🔎] 80e11f170c176d09c2b08b0826d597cc737c1cea.camel@debian.org>
References: <240f6cd3-77b0-2a24-ac14-99e7af98179b@beuc.net> <YAex8kxx0iJVyyxs@mycre.ws> <YAftVdSpPGsBL7/o@t14-buxy.home.ouaza.com> <YAf4rcX+8/UA5Hui@mycre.ws> <[🔎] 80e11f170c176d09c2b08b0826d597cc737c1cea.camel@debian.org>

Markus Koschany wrote:
> Am Mittwoch, den 20.01.2021, 04:32 -0500 schrieb Robert Edmonds:
> [...]
> > I would be OK with promoting an unbound package based on 1.9.6-2 (the
> > last 1.9.x package) to buster, if that's OK with the release team.
> 
> Hello Robert,
> 
> As you know we have had a request from users to "resurrect" unbound in Debian 9
> "Stretch". We have discussed several options internally and we came to the
> conclusion that we can just backport the current version of unbound in Buster
> and apply the patch to fix CVE-2020-28935. In order to avoid rebuilds of
> reverse-dependencies we have decided to introduce a new source package called
> unbound1.9 which takes over the binary packages unbound, unbound-anchor,
> unbound-host and libunbound8. This allows us to avoid rebuilding reverse-
> dependencies of libunbound2 in Stretch which is not necessary because they are
> not affected by the reported security vulnerabilities. You also don't have to
> feel responsible for those changes because we track them in a different source
> package.
> 
> So far the users in Stretch can't reproduce the reported instability bugs in
> Buster and everything looks fine. Therefore we intend to maintain the 1.9.0
> version and apply patches on top of it, if necessary.
> 
> In order to fix those bugs in Debian 10 "Buster" we could upgrade to the latest
> version in the 1.9.x series. The bug reporters claimed that version 1.9.2 or
> 1.9.3 would fix it for them. 
> 
> I have prepared a new release for Buster and uploaded it to
> 
> https://people.debian.org/~apo/buster/unbound/
> 
> In my opinion we should let those bug reporters test the update. If this is
> successful we should try to get this into the next buster point update.
> 
> What are your thoughts?
> 
> Regards,
> 
> Markus

Hi, Markus:

I'm OK with both of these plans.

For the proposed 1.9.6 buster update, can you send me git commits based
against
https://salsa.debian.org/dns-team/unbound/-/tree/branches/1.9.0-2_deb10
?

Thanks!

-- 
Robert Edmonds
edmonds@debian.org

Reply to:

Follow-Ups:
- Re: Supporting unbound in stretch by upgrading to 1.9
  - From: Markus Koschany <apo@debian.org>

References:
- Re: Supporting unbound in stretch by upgrading to 1.9
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Re: Supporting unbound in stretch by upgrading to 1.9
Next by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Previous by thread: Re: Supporting unbound in stretch by upgrading to 1.9
Next by thread: Re: Supporting unbound in stretch by upgrading to 1.9
Index(es):
- Date
- Thread