Re: bind9 patch or new upstream version

To: debian-lts@lists.debian.org
Subject: Re: bind9 patch or new upstream version
From: Roberto C. Sánchez <roberto@debian.org>
Date: Fri, 12 Apr 2024 19:13:49 -0400
Message-id: <[🔎] ZhnALX1zFzZbNYwO@localhost>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] CABY6=0k3ioSkLj31gtDyK3YtijQE8D+-sKjaknanCsHtgNae6w@mail.gmail.com>
References: <[🔎] CABY6=0k3ioSkLj31gtDyK3YtijQE8D+-sKjaknanCsHtgNae6w@mail.gmail.com>

Hi Ola,

On Sat, Apr 13, 2024 at 12:49:49AM +0200, Ola Lundqvist wrote:
> Hi fellow LTS contributors
> 
> Today I started on bind9 and realized one thing. In bullseye the
> security update is to release a new upstream version (released as
> 1:9.16.48-1) instead of patching the old version
> (1:9.16.44-1~deb11u1). For some reason the version used is -1 instead
> of ~deb11u1.
> 
I am not entirely sure why -1 was used, but I can tell you that ~deb11u1
was not used because the upload went through proposed-updates. It
appears to also have gone to the security queue, but it isn't clear to
me why that happened. In any event, an upload to proposed-updates would
typically need a version like +bullseye1. However, stable already has a
higher version (1:9.18.24-1), which guarantees that on upgrade from
bullseye to bookwork the new version in bookworm will take priority.

Also, looking at security and proposed-updates for stable shows that the
versions there were also uploaded with -1.

Either way, it doesn't make a difference and it isn't something that we
should worry about.

> Since this is not the normal practice I'd like to check so we have a
> common agreement that this is the best also for LTS/buster.
> 
> In this case I think it is the safest method. Trying to pick the
> individual patches can be risky.

Assuming that you are suggesting that we upgrade buster to the bullseye
version (9.16.48), then I disagree entirely. We cannot move bind9 to the
bullseye version.

> Or do we know any specific reason why we should not go this path?
> 
In the case of buster we can't do what what was done for stable and
oldstable. If you look at the versions there, here is what happened:

stable: 9.18.19 -> 9.18.24
oldstable: 9.16.44 -> 9.16.48

The version in buster is 9.11.5.P4. We cannot upgrade to 9.16.48 without
risking breaking changes for users. I haven't looked, but I assume that
you are asking this question because there is not a new 9.11.x release
that deals with the current vulnerabilities. If it happens to be the
case that there is a new 9.11.x release that addresses the
vulnerabilities, then that is potentially a path we could take. If there
is not a 9.11.x version that we could migrate to, then we will need to
carefully backport the patches and ensure that everything is rigorously
tested.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: bind9 patch or new upstream version
  - From: Ola Lundqvist <ola@inguza.com>

References:
- bind9 patch or new upstream version
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: bind9 patch or new upstream version
Next by Date: Re: bind9 patch or new upstream version
Previous by thread: bind9 patch or new upstream version
Next by thread: Re: bind9 patch or new upstream version
Index(es):
- Date
- Thread