[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: updating debian-security-support(.limited) in buster and bullseye (Re: EOL candidates for security-support-ended.deb10 (recap))

Hi Holger,

thanks for taking care of it!

Regarding your question, if there are not other objections, I would say
please go ahead with an upload (despite python2.7).

Regards


Anton


Am Sa., 13. Aug. 2022 um 11:30 Uhr schrieb Holger Levsen <holger@layer-acht.org>:
On Fri, Aug 12, 2022 at 12:06:21PM +0000, Holger Levsen wrote:
> yes, I have uploading debian-security-support to buster for the last
> point release on my agenda and will do that upload as needed.

As there has now been a date announced for the final buster point release,
the timeline for this has become:

- today prepare buster branch for release (33% done, see below)
- today until aug 23: possible further updates to the master branch
  which then get copied to the buster branch
- aug 23: upload & SRM bug
- aug 27: freeze
- sep 10: buster 10.13 point release

I've prepared the buster branch accordingly, that is, I have copied
security-support-ended.deb10 from 1:12+2022.08.12 from unstable.

Two questions remain, the first I have just raised in #debian-release:

<h01ger> given that debian-security-support now has the release number
         in its version, do you still want additional ~deb11u1 version
         suffixes? eg debian-security-support is 1:11+2021.03.19, are
         you fine with 1:11+2022.08.13 now or would you prefer
         1:11+2022.08.13~deb11u1 ? (sid/bullseye is at 1:12+2022.08.12
         and will not get ...08.13.)
<h01ger> happy to ask this in an SRM bug too :)

(no reply on #d-release yet, though I only asked 15min ago...)

The second question is about security-support-limited, which is not
versioned atm, though maybe it should. Anyway, the current diff
between buster and master/unstable/bookworm is:

--- a/security-support-limited
+++ b/security-support-limited
@@ -8,24 +8,26 @@

 adns            Stub resolver that should only be used with trusted recursors
 binutils        Only suitable for trusted content; see https://lists.debian.org/msgid-search/87lfqsomtg.fsf@mid.deneb.enyo.de
+cython          Only included for building packages, not running them, #975058
 ganglia         See README.Debian.security, only supported behind an authenticated HTTP zone, #702775
 ganglia-web     See README.Debian.security, only supported behind an authenticated HTTP zone, #702776
-glpi            Only supported behind an authenticated HTTP zone for trusted users
-golang*        See https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking
+golang.*        See https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking
 kde4libs        khtml has no security support upstream, only for use on trusted content
+khtml           khtml has no security support upstream, only for use on trusted content, see #1004293
 libv8-3.14      Not covered by security support, only suitable for trusted content
-ltp             Pure Testsuite, only supported on non-production non-multiuser systems
 mozjs           Not covered by security support, only suitable for trusted content
 mozjs24         Not covered by security support, only suitable for trusted content
 mozjs52         Not covered by security support, only suitable for trusted content
 mozjs60         Not covered by security support, only suitable for trusted content
+mozjs68         Not covered by security support, only suitable for trusted content, see #959804
+mozjs78         Not covered by security support, only suitable for trusted content, see #959804
 ocsinventory-server Only supported behind an authenticated HTTP zone
+python2.7       Only included for building packages, not running them, #975058
+python-stdlib-extensions Only included for building packages, not running them, #975058
 qtwebengine-opensource-src No security support upstream and backports not feasible, only for use on trusted content
 qtwebkit        No security support upstream and backports not feasible, only for use on trusted content
 qtwebkit-opensource-src No security support upstream and backports not feasible, only for use on trusted content
 sql-ledger      Only supported behind an authenticated HTTP zone
 swftools        Not covered by security support, only suitable for trusted content
 webkitgtk       No security support upstream and backports not feasible, only for use on trusted content
-wine-gecko-2.21 Not covered by security support, see https://bugs.debian.org/804058
-wine-gecko-2.24 Not covered by security support, see https://bugs.debian.org/804058
 zoneminder      See README.Debian.security, only supported behind an authenticated HTTP zone, #922724

I'm leaning towards not updating security-support-limited for buster. What do
you think?


--
cheers,
        Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

It's not climate change nor climate crisis, it's climate disaster.
Reply to: