On Fri, Aug 12, 2022 at 12:06:21PM +0000, Holger Levsen wrote:
> yes, I have uploading debian-security-support to buster for the last
> point release on my agenda and will do that upload as needed.
As there has now been a date announced for the final buster point release,
the timeline for this has become:
- today prepare buster branch for release (33% done, see below)
- today until aug 23: possible further updates to the master branch
which then get copied to the buster branch
- aug 23: upload & SRM bug
- aug 27: freeze
- sep 10: buster 10.13 point release
I've prepared the buster branch accordingly, that is, I have copied
security-support-ended.deb10 from 1:12+2022.08.12 from unstable.
Two questions remain, the first I have just raised in #debian-release:
<h01ger> given that debian-security-support now has the release number
in its version, do you still want additional ~deb11u1 version
suffixes? eg debian-security-support is 1:11+2021.03.19, are
you fine with 1:11+2022.08.13 now or would you prefer
1:11+2022.08.13~deb11u1 ? (sid/bullseye is at 1:12+2022.08.12
and will not get ...08.13.)
<h01ger> happy to ask this in an SRM bug too :)
(no reply on #d-release yet, though I only asked 15min ago...)
The second question is about security-support-limited, which is not
versioned atm, though maybe it should. Anyway, the current diff
between buster and master/unstable/bookworm is:
--- a/security-support-limited
+++ b/security-support-limited
@@ -8,24 +8,26 @@
adns Stub resolver that should only be used with trusted recursors
binutils Only suitable for trusted content; see https://lists.debian.org/msgid-search/87lfqsomtg.fsf@mid.deneb.enyo.de
+cython Only included for building packages, not running them, #975058
ganglia See README.Debian.security, only supported behind an authenticated HTTP zone, #702775
ganglia-web See README.Debian.security, only supported behind an authenticated HTTP zone, #702776
-glpi Only supported behind an authenticated HTTP zone for trusted users
-golang* See https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking
+golang.* See https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking
kde4libs khtml has no security support upstream, only for use on trusted content
+khtml khtml has no security support upstream, only for use on trusted content, see #1004293
libv8-3.14 Not covered by security support, only suitable for trusted content
-ltp Pure Testsuite, only supported on non-production non-multiuser systems
mozjs Not covered by security support, only suitable for trusted content
mozjs24 Not covered by security support, only suitable for trusted content
mozjs52 Not covered by security support, only suitable for trusted content
mozjs60 Not covered by security support, only suitable for trusted content
+mozjs68 Not covered by security support, only suitable for trusted content, see #959804
+mozjs78 Not covered by security support, only suitable for trusted content, see #959804
ocsinventory-server Only supported behind an authenticated HTTP zone
+python2.7 Only included for building packages, not running them, #975058
+python-stdlib-extensions Only included for building packages, not running them, #975058
qtwebengine-opensource-src No security support upstream and backports not feasible, only for use on trusted content
qtwebkit No security support upstream and backports not feasible, only for use on trusted content
qtwebkit-opensource-src No security support upstream and backports not feasible, only for use on trusted content
sql-ledger Only supported behind an authenticated HTTP zone
swftools Not covered by security support, only suitable for trusted content
webkitgtk No security support upstream and backports not feasible, only for use on trusted content
-wine-gecko-2.21 Not covered by security support, see https://bugs.debian.org/804058
-wine-gecko-2.24 Not covered by security support, see https://bugs.debian.org/804058
zoneminder See README.Debian.security, only supported behind an authenticated HTTP zone, #922724
I'm leaning towards not updating security-support-limited for buster. What do
you think?
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
It's not climate change nor climate crisis, it's climate disaster.