[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to handle freeimage package



Hi (especially Ola),

El 08/04/24 a las 13:59, Sylvain Beucler escribió:
> Hi,
> 
> I think this requires a bit of coordination:
> - the package is basically dead upstream, there hasn't been a fix in the
> official repos, neither Debian or other distros attempted to fix them

The only "exception" seems to be Fedora. They have packaged r1909 and
have patches for some (eight) CVEs on top of that:
https://src.fedoraproject.org/rpms/freeimage/tree/f40

I haven't checked if they are backportable to 3.18 nor 3.17. Ola, could
you please take a look if they could help?

> - we do have a sponsor for LTS and ELTS/stretch, so we're paid to take care
> of this package
> - secteam usually sets unimportant/low/high severity, not us
> 
> So I wonder if this package is still supportable. I'd suggest you sync with
> LTS Coordinator to see if we should invest time in fixing the issues
> ourselves, or drop the package from debian-security-support.

Before considering dropping its support, I would suggest to at least
contact upstream one more time to query about its status, to see if they
are interested in officially releasing 3.19, and why not, reporting the
missing reports in their bug tracker as Mortiz has suggested.

Also, there are some reverse dependencies to be taken into account.

[snip]

Cheers,

  -- Santiago

Attachment: signature.asc
Description: PGP signature


Reply to: