Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: unblock Severity: normal Please unblock package singularity-container/3.1.1+ds-1 This package is prone to security vulnerabilities. Upstream provides long-term support for selected versions to their paid users, but also releases all code changes (including backported security patches) to the community. Both 3.0.x and 3.1.x were released earlier this year and it was not known at the time which of these would be the LTS version. 3.0.3 is what I bet on and what is in Testing now, but it now turns out that I was wrong and it's actually 3.1. Using it would greatly facilitate our ability to provide support over the lifetime of Buster. The benefits of doing this have also just been clearly demonstrated: Upstream just released 3.2.0, adding new features as well as fixing security issues affecting versions 3.1.0 and up, but because 3.1 is under LTS support for their paid users, they also provided the security patches backported to 3.1 (see the 3.2.0 release notes - https://github.com/sylabs/singularity/releases/tag/v3.2.0 ). So I apologize for the large diff, but I think we'd be in much better shape having this upstream version in Buster. Especially because of the large diff, backporting patches to 3.0 without the help from upstream that we'd get by using 3.1 would be unnecessarily more burdensome. many thanks for your time and consideration regards Afif -- Afif Elghraoui | عفيف الغراوي https://afif.ghraoui.name
Attachment:
singularity-container_3.0.3+ds-1_3.1.1+ds-1.debdiff.gz
Description: application/gzip