Hi Jochen, thanks for your bug report! On Wed, Oct 08, 2025 at 04:50:14PM +0200, Jochen Sprickerhof wrote: > Package: debian-security-support > Severity: normal > X-Debbugs-Cc: Debian Security Team <team@security.debian.org>, hdf5@packages.debian.org > > I propose to mark hdf5 as limited support in Debian 11 (bullseye). bullseye is under the realm on the LTS team, thus cc:ing them with full quote. that said: hdf5 is also present in all our later suites, so why only bullseye, but not forkytrixiebookwormsid? > # Package Description > > Hierarchical Data Format 5 (HDF5) is a file format and library for > storing scientific data. HDF5 was designed and implemented to address > the deficiencies of HDF4.x. It has a more powerful and flexible data > model, supports files larger than 2 GB, and supports parallel I/O. > > # Obstacles Preventing Continued Support > > Upstream does not seem to support security updates of older releases. > There are tags of the 1.10 series in bullseye up to 1.10.11 but they > contain a lot of changes all over the place, like reformatting, adding > new functionality and behavior changes. So uploading a new upstream > version seems too risky. On the other hand the upstream git has no clear > commits of the security patches. They are often committed in bulk and > then partly reverted due to regressions and later committed again, > probably due to other commits in between fixing the regressions. There > is https://github.com/HDFGroup/cve_hdf5.git which allows easy testing of > the CVEs and I tried cherry-picking some commits but it resulted in > different tests failing. > > # Proposed entry for security-support.deb11 > > hdf5 limited Not covered by security support, only suitable for trusted content, see -1 -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ figures don't lie, but liars figure.
Attachment:
signature.asc
Description: PGP signature