[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#929011: marked as done (unblock: singularity-container/3.1.1+ds-1)

Your message dated Thu, 27 Jun 2019 11:47:28 +0200
with message-id <20190627094727.ugxctwu344gvaknc@debian.org>
and subject line Re: Bug#929011: unblock: singularity-container/3.1.1+ds-1
has caused the Debian Bug report #929011,
regarding unblock: singularity-container/3.1.1+ds-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
929011: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929011
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package singularity-container/3.1.1+ds-1

This package is prone to security vulnerabilities. Upstream provides
long-term support for selected versions to their paid users, but also
releases all code changes (including backported security patches) to the
community.

Both 3.0.x and 3.1.x were released earlier this year and it was not
known at the time which of these would be the LTS version. 3.0.3 is what
I bet on and what is in Testing now, but it now turns out that I was
wrong and it's actually 3.1. Using it would greatly facilitate our
ability to provide support over the lifetime of Buster.

The benefits of doing this have also just been clearly demonstrated:
Upstream just released 3.2.0, adding new features as well as fixing
security issues affecting versions 3.1.0 and up, but because 3.1 is
under LTS support for their paid users, they also provided the security
patches backported to 3.1 (see the 3.2.0 release notes -
https://github.com/sylabs/singularity/releases/tag/v3.2.0 ).

So I apologize for the large diff, but I think we'd be in much better
shape having this upstream version in Buster. Especially because of the
large diff, backporting patches to 3.0 without the help from upstream
that we'd get by using 3.1 would be unnecessarily more burdensome.

many thanks for your time and consideration

regards
Afif

-- 
Afif Elghraoui | عفيف الغراوي
https://afif.ghraoui.name

Attachment: singularity-container_3.0.3+ds-1_3.1.1+ds-1.debdiff.gz
Description: application/gzip


--- End Message ---
--- Begin Message --- 
Hi,

On Tue, Jun 25, 2019 at 10:16:17PM +0200, Salvatore Bonaccorso wrote:
> > Hi Afif,
> > 
> > On Wed, 15 May 2019 03:47:28 -0400 Afif Elghraoui <afif@debian.org> wrote:
> > > Please unblock package singularity-container/3.1.1+ds-1
> > > 
> > > This package is prone to security vulnerabilities. Upstream provides
> > > long-term support for selected versions to their paid users, but also
> > > releases all code changes (including backported security patches) to the
> > > community.
> > > 
> > > Both 3.0.x and 3.1.x were released earlier this year and it was not
> > > known at the time which of these would be the LTS version. 3.0.3 is what
> > > I bet on and what is in Testing now, but it now turns out that I was
> > > wrong and it's actually 3.1. Using it would greatly facilitate our
> > > ability to provide support over the lifetime of Buster.
> > > 
> > > The benefits of doing this have also just been clearly demonstrated:
> > > Upstream just released 3.2.0, adding new features as well as fixing
> > > security issues affecting versions 3.1.0 and up, but because 3.1 is
> > > under LTS support for their paid users, they also provided the security
> > > patches backported to 3.1 (see the 3.2.0 release notes -
> > > https://github.com/sylabs/singularity/releases/tag/v3.2.0 ).
> > > 
> > > So I apologize for the large diff, but I think we'd be in much better
> > > shape having this upstream version in Buster. Especially because of the
> > > large diff, backporting patches to 3.0 without the help from upstream
> > > that we'd get by using 3.1 would be unnecessarily more burdensome.
> > > 
> > > many thanks for your time and consideration
> > 
> > Your proposed changes very much do not align with the freeze policy, so
> > you're asking for an exception for a new upstream release. This package
> > is currently listed to be auto-removed due to docker.io, so I am not
> > going to review it now. docker.io is a major concern for the
> > security-team so that needs to be resolved first. If that gets resolved
> > in a timely manner, i.e. before it is auto-removed, please ping this bug
> > (e.g. by removing the moreinfo bug).
> 
> I do agree that the changes are not really reviewable given the size
> of the diff. But with Afifs argument and now the package not beeing
> marked as autoremoved: if we want to support singularity-container
> security wise in buster we would need to bite into the apple and
> accept this late new version bump for buster as the 3.1 version.
> 
> So I think the two options we have is (in order of preference): 1.
> unblock singularity-container and let the 3.1 based version in to
> buster, or 2. remove singularity-container from buster.

It's really too late for option 1. Sorry.

I added a removal hint.

Thanks,

Ivo

--- End Message ---
Reply to: