Bug#930293: unblock: docker.io/18.09.1+dfsg1-7

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#930293: unblock: docker.io/18.09.1+dfsg1-7
From: Arnaud Rebillout <arnaud.rebillout@collabora.com>
Date: Mon, 10 Jun 2019 11:44:58 +0700
Message-id: <[🔎] 156014189851.36800.2067599583435189715.reportbug@xps>
Reply-to: Arnaud Rebillout <arnaud.rebillout@collabora.com>, 930293@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

  Hi,

I'm about to upload a fix for #929662 "docker.io: CVE-2018-15664", but
before I do that I'd like to ask a question to the release team.

For now in testing we have docker.io 18.09.1, and on top of that I've
been importing upstream patches to fix RC bugs, because from what I
understand from the Policy, that's what I should do.

The 18.09 series of docker is a so-called "LTS", and that's exactly why
it's THIS release in particular that I targeted for Buster, rather than
a more recent release. Every now and then upstream releases a new dot
release, the latest to date is 18.09.6 (released in May).

According to the upstream changelog, these are mostly fixes. And to get
an idea of the volume, between 18.09.1 to 18.09.6, there was 142
commits, which is rather small compared to the size of docker's codebase.

So it seems to me that upstream really only adds fixes to the 18.09
series, and I also think that our users would be better served if they
could have the latest version of this series in Buster, rather than what
I'm doing now: only patching 18.09.1 with whatever bug was reported in
Debian and marked RC, and ignoring all the other bugs that were reported
and fixed upstream.

Hence I'd like to ask the release team if they think it would be
suitable to unblock docker.io to allow the version 18.09.6 to be
uploaded in Buster? Or, better, wait for the next 18.09.7 that will
include the CVE fix, probably in the next days?

Or should I just stick to 18.09.1, and only upload a new debian version
that only includes the CVE fix?

Thanks,

  Arnaud

unblock docker.io/18.09.1+dfsg1-7

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply to:

Follow-Ups:
- Bug#930293: unblock: docker.io/18.09.1+dfsg1-7
  - From: Paul Gevers <elbrus@debian.org>
- Processed: Re: Bug#930293: unblock: docker.io/18.09.1+dfsg1-7
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: Re: Bug#930293: unblock: docker.io/18.09.1+dfsg1-7
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#930293: marked as done (unblock: docker.io [pre-approval])
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#928185: unblock: openjdk-11/11.0.3+7-4
Next by Date: Bug#930297: unblock: fastforward/1:0.51-6
Previous by thread: Bug#930286: marked as done (unblock: rclone/1.45-3)
Next by thread: Bug#930293: unblock: docker.io/18.09.1+dfsg1-7
Index(es):
- Date
- Thread