Re: Supporting unbound in stretch by upgrading to 1.9

To: Markus Koschany <apo@debian.org>
Cc: debian-lts <debian-lts@lists.debian.org>, team <team@security.debian.org>
Subject: Re: Supporting unbound in stretch by upgrading to 1.9
From: Robert Edmonds <edmonds@debian.org>
Date: Wed, 17 Feb 2021 12:43:09 -0500
Message-id: <[🔎] YC1VrQ2gOIeog70P@mycre.ws>
In-reply-to: <[🔎] 80e11f170c176d09c2b08b0826d597cc737c1cea.camel@debian.org>
References: <240f6cd3-77b0-2a24-ac14-99e7af98179b@beuc.net> <YAex8kxx0iJVyyxs@mycre.ws> <YAftVdSpPGsBL7/o@t14-buxy.home.ouaza.com> <YAf4rcX+8/UA5Hui@mycre.ws> <[🔎] 80e11f170c176d09c2b08b0826d597cc737c1cea.camel@debian.org>

Markus Koschany wrote:
> Am Mittwoch, den 20.01.2021, 04:32 -0500 schrieb Robert Edmonds:
> [...]
> > I would be OK with promoting an unbound package based on 1.9.6-2 (the
> > last 1.9.x package) to buster, if that's OK with the release team.
> 
> Hello Robert,
> 
> As you know we have had a request from users to "resurrect" unbound in Debian 9
> "Stretch". We have discussed several options internally and we came to the
> conclusion that we can just backport the current version of unbound in Buster
> and apply the patch to fix CVE-2020-28935. In order to avoid rebuilds of
> reverse-dependencies we have decided to introduce a new source package called
> unbound1.9 which takes over the binary packages unbound, unbound-anchor,
> unbound-host and libunbound8. This allows us to avoid rebuilding reverse-
> dependencies of libunbound2 in Stretch which is not necessary because they are
> not affected by the reported security vulnerabilities. You also don't have to
> feel responsible for those changes because we track them in a different source
> package.

Hi,

It looks like #982671 / #982672 was assigned by the BTS to src:unbound
rather than src:unbound1.9. I attempted to re-assign the bug to
src:unbound1.9 with notfound/found but I don't think that worked since I
don't see it on
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=unbound1.9.

This bug also should have been reported against the unbound binary
package built by src:unbound1.9, not python-unbound, because the bug
appears to be about src:unbound1.9's unbound daemon failing to start. My
understanding is that the embedded Python scripting support in the
unbound daemon (which is built on stretch against Python 3, not Python 2
anyway) does not require the python-unbound or python3-unbound packages,
which are unrelated Python extension module bindings for the APIs in the
C libunbound library.

Also, it looks like the upload of unbound1.9 1.9.0-2+deb10u2~deb9u1
dropped the python-unbound and python3-unbound binary packages. It's not
clear why and it would be nice if the reason were documented in
debian/changelog.

Thanks!

-- 
Robert Edmonds
edmonds@debian.org

Reply to:

Follow-Ups:
- Re: Supporting unbound in stretch by upgrading to 1.9
  - From: Markus Koschany <apo@debian.org>

References:
- Re: Supporting unbound in stretch by upgrading to 1.9
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Re: QEMU upload lost?
Next by Date: Re: Supporting unbound in stretch by upgrading to 1.9
Previous by thread: Re: Supporting unbound in stretch by upgrading to 1.9
Next by thread: Re: Supporting unbound in stretch by upgrading to 1.9
Index(es):
- Date
- Thread