Re: EOL guacamole-client in Stretch

To: Markus Koschany <apo@debian.org>, debian-lts <debian-lts@lists.debian.org>
Subject: Re: EOL guacamole-client in Stretch
From: Sylvain Beucler <beuc@beuc.net>
Date: Wed, 2 Feb 2022 17:22:12 +0100
Message-id: <[🔎] eb5bcaa8-77f3-765e-3ee4-f61eb41f9f5b@beuc.net>
In-reply-to: <b1ce03b23d8f6aadc5613c7957ad9463f3f8756b.camel@debian.org>
References: <b1ce03b23d8f6aadc5613c7957ad9463f3f8756b.camel@debian.org>

Hi,

On 31/01/2022 22:29, Markus Koschany wrote:

I believe we should mark guacamole-client as end-of-life in Stretch but I would
like to hear your opinion too. Guacamole in Stretch is a five year old web
application with four open CVE. Upstream recommends to upgrade to the latest
1.4.0 release and does not provide further details about specific patches. I
have checked the debdiff between 1.3.0 and 1.4.0 and it contains several files
which could be related to CVE-2021-41767 for example. Since guacamole-client is
also not a very popular package and not part of Buster or Bullseye, I suggest
to mark it EOL. Comments?

I would be warry of popcon for this kind of server package, sincethere's one instance for potentially a lot of (web) users.

That being said, given all your other arguments above, it sounds likemaintaining orphaned guacamole-client in stretch-only is not aparticularly effective use of the sponsors' money.


+1

Cheers!
Sylvain

Reply to:

Follow-Ups:
- Re: EOL guacamole-client in Stretch
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Debian LTS and ELTS - January 2022
Next by Date: Re: EOL guacamole-client in Stretch
Previous by thread: Debian LTS and ELTS - January 2022
Next by thread: Re: EOL guacamole-client in Stretch
Index(es):
- Date
- Thread