Re: EOL candidates for security-support-ended.deb10

[Emilio Pozuelo Monfort <pochu@debian.org>]

On 05/08/2022 11:48, Raphael Hertzog wrote:
> Hello,
>
> On Wed, 03 Aug 2022, Sylvain Beucler wrote:
> > OpenStack: we tend not to support openstack beyond upstream's support, but
> > I'm having a hard time associating the components version with OpenStack's
> > major version; possibly other openstack packages (horizon, manila,
> > neutron...) are concerned; see also
> > https://access.redhat.com/support/policy/updates/openstack/platform/ ; if
> > somebody is more familiar with openstack, input would be appreciated :)
> > - keystone https://lists.debian.org/debian-lts/2020/05/msg00011.html
>
> FWIW, I got some private feedback from an LTS sponsor that they are still
> running Openstack on buster so it would be nice if we could try to support
> it this time around.
>
> The number of CVE on Openstack related packages seem to be low.
>
> Do you see any reason why we should not try to support it?

We shouldn't just forward-port the EOL list. I.e. if the only reason to not 
support something is "we didn't support it in previous releases", then we should 
support it.

For OpenStack in particular, I don't see it in security-support-ended.*, but 
IIRC the reason was that upstream used to move too fast and security fixes were 
hard to backport. If things have stabilized, with fewer issues and a more 
stabilized code, and upstream provides enough information, then I see no reason 
why we can't support it.

Cheers,
Emilio