Bug#929011: marked as done (unblock: singularity-container/3.1.1+ds-1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 28 Jun 2019 11:00:00 +0200
with message-id <20190628085958.y3ir2elvlt7lizcf@debian.org>
and subject line Re: Bug#929011: unblock: singularity-container/3.1.1+ds-1
has caused the Debian Bug report #929011,
regarding unblock: singularity-container/3.1.1+ds-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
929011: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929011
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: singularity-container/3.1.1+ds-1
• From: Afif Elghraoui <afif@debian.org>
• Date: Wed, 15 May 2019 03:47:28 -0400
• Message-id: <431af70b-2627-be10-4d6f-70fce9891cd9@debian.org>

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package singularity-container/3.1.1+ds-1

This package is prone to security vulnerabilities. Upstream provides
long-term support for selected versions to their paid users, but also
releases all code changes (including backported security patches) to the
community.

Both 3.0.x and 3.1.x were released earlier this year and it was not
known at the time which of these would be the LTS version. 3.0.3 is what
I bet on and what is in Testing now, but it now turns out that I was
wrong and it's actually 3.1. Using it would greatly facilitate our
ability to provide support over the lifetime of Buster.

The benefits of doing this have also just been clearly demonstrated:
Upstream just released 3.2.0, adding new features as well as fixing
security issues affecting versions 3.1.0 and up, but because 3.1 is
under LTS support for their paid users, they also provided the security
patches backported to 3.1 (see the 3.2.0 release notes -
https://github.com/sylabs/singularity/releases/tag/v3.2.0 ).

So I apologize for the large diff, but I think we'd be in much better
shape having this upstream version in Buster. Especially because of the
large diff, backporting patches to 3.0 without the help from upstream
that we'd get by using 3.1 would be unnecessarily more burdensome.

many thanks for your time and consideration

regards
Afif

-- 
Afif Elghraoui | عفيف الغراوي
https://afif.ghraoui.name

Attachment: singularity-container_3.0.3+ds-1_3.1.1+ds-1.debdiff.gz
Description: application/gzip

--- End Message ---

--- Begin Message ---

• To: Afif Elghraoui <afif@debian.org>
• Cc: Ivo De Decker <ivodd@debian.org>, Salvatore Bonaccorso <carnil@debian.org>, Paul Gevers <elbrus@debian.org>, Debian Security Team <team@security.debian.org>, 929011-done@bugs.debian.org
• Subject: Re: Bug#929011: unblock: singularity-container/3.1.1+ds-1
• From: Ivo De Decker <ivodd@debian.org>
• Date: Fri, 28 Jun 2019 11:00:00 +0200
• Message-id: <20190628085958.y3ir2elvlt7lizcf@debian.org>
• In-reply-to: <[🔎] 07021801-12F1-4CFC-BB75-8CD4F1BAF401@debian.org>
• References: <431af70b-2627-be10-4d6f-70fce9891cd9@debian.org> <431af70b-2627-be10-4d6f-70fce9891cd9@debian.org> <431af70b-2627-be10-4d6f-70fce9891cd9@debian.org> <[🔎] c0b1c4a4-a59c-4ae6-2e4d-584abf3683ca@debian.org> <[🔎] 20190625201617.GA26177@eldamar.local> <20190627094727.ugxctwu344gvaknc@debian.org> <DA328AC0-83A9-4815-8CDE-04F47DEC2418@debian.org> <[🔎] 07021801-12F1-4CFC-BB75-8CD4F1BAF401@debian.org>

Hi,

On Thu, Jun 27, 2019 at 09:30:09AM -0400, Afif Elghraoui wrote:
> On June 27, 2019 9:06:41 AM EDT, Afif Elghraoui <afif@debian.org> wrote:
> >
> >
> >On June 27, 2019 5:47:28 AM EDT, Ivo De Decker <ivodd@debian.org>
> >wrote:
> >>Hi,
> >>> 
> >>> So I think the two options we have is (in order of preference): 1.
> >>> unblock singularity-container and let the 3.1 based version in to
> >>> buster, or 2. remove singularity-container from buster.
> >>
> >>It's really too late for option 1. Sorry.
> >>
> >>I added a removal hint.
> >>
> >
> >This request was not just filed recently. I don't understand why I'm
> >being penalized for this being late--the version requested for
> >unblocking as been in unstable for 43 days with no new bugs. And it's
> >also a leaf package.
> >
> >Please reconsider.
> >
> 
> I at least want to know what I could have done because, from my perspective,
> I did everything in my power to do this as quickly as possible. At the time
> I made the request, the buster release date had not yet even been set.

Please look at the freeze policy:

https://release.debian.org/buster/freeze_policy.html

The upload of 3.1.1+ds-1 was done on 2019-05-15, the full freeze started on
2019-03-12. 

During the full freeze, we only accept targeted fixes. Your upload didn't come
close to that, as you admitted yourself in your original mail to the unblock
request. The chances of such a request being granted were extremely small,
even at the point the request was made.

The unblock won't be granted. Sorry.

> I followed up on the docker bugs and offered to help and was told by the
> maintainer it was under control.

> The singularity community was really looking forward to having the package
> in Debian Stable this time around.

Ivo

--- End Message ---