Control: tags -1 moreinfo Hi Afif, On Wed, 15 May 2019 03:47:28 -0400 Afif Elghraoui <afif@debian.org> wrote: > Please unblock package singularity-container/3.1.1+ds-1 > > This package is prone to security vulnerabilities. Upstream provides > long-term support for selected versions to their paid users, but also > releases all code changes (including backported security patches) to the > community. > > Both 3.0.x and 3.1.x were released earlier this year and it was not > known at the time which of these would be the LTS version. 3.0.3 is what > I bet on and what is in Testing now, but it now turns out that I was > wrong and it's actually 3.1. Using it would greatly facilitate our > ability to provide support over the lifetime of Buster. > > The benefits of doing this have also just been clearly demonstrated: > Upstream just released 3.2.0, adding new features as well as fixing > security issues affecting versions 3.1.0 and up, but because 3.1 is > under LTS support for their paid users, they also provided the security > patches backported to 3.1 (see the 3.2.0 release notes - > https://github.com/sylabs/singularity/releases/tag/v3.2.0 ). > > So I apologize for the large diff, but I think we'd be in much better > shape having this upstream version in Buster. Especially because of the > large diff, backporting patches to 3.0 without the help from upstream > that we'd get by using 3.1 would be unnecessarily more burdensome. > > many thanks for your time and consideration Your proposed changes very much do not align with the freeze policy, so you're asking for an exception for a new upstream release. This package is currently listed to be auto-removed due to docker.io, so I am not going to review it now. docker.io is a major concern for the security-team so that needs to be resolved first. If that gets resolved in a timely manner, i.e. before it is auto-removed, please ping this bug (e.g. by removing the moreinfo bug). Paul
Attachment:
signature.asc
Description: OpenPGP digital signature