Bug#929011: unblock: singularity-container/3.1.1+ds-1
- To: 929011@bugs.debian.org
- Subject: Bug#929011: unblock: singularity-container/3.1.1+ds-1
- From: Ansgar <ansgar@43-1.org>
- Date: Tue, 25 Jun 2019 21:50:03 +0200
- Message-id: <[🔎] 87woh9phqs.fsf@43-1.org>
- Reply-to: Ansgar <ansgar@43-1.org>, 929011@bugs.debian.org
- In-reply-to: <c0b1c4a4-a59c-4ae6-2e4d-584abf3683ca__4897.88526190154$1560022228$gmane$org@debian.org> (Paul Gevers's message of "Sat, 8 Jun 2019 21:26:06 +0200")
- References: <431af70b-2627-be10-4d6f-70fce9891cd9@debian.org> <431af70b-2627-be10-4d6f-70fce9891cd9@debian.org> <431af70b-2627-be10-4d6f-70fce9891cd9@debian.org> <c0b1c4a4-a59c-4ae6-2e4d-584abf3683ca__4897.88526190154$1560022228$gmane$org@debian.org> <431af70b-2627-be10-4d6f-70fce9891cd9@debian.org>
Control: tag -1 - moreinfo
Paul Gevers writes:
> On Wed, 15 May 2019 03:47:28 -0400 Afif Elghraoui <afif@debian.org> wrote:
>> Please unblock package singularity-container/3.1.1+ds-1
>>
>> This package is prone to security vulnerabilities. Upstream provides
>> long-term support for selected versions to their paid users, but also
>> releases all code changes (including backported security patches) to the
>> community.
>>
>> Both 3.0.x and 3.1.x were released earlier this year and it was not
>> known at the time which of these would be the LTS version. 3.0.3 is what
>> I bet on and what is in Testing now, but it now turns out that I was
>> wrong and it's actually 3.1. Using it would greatly facilitate our
>> ability to provide support over the lifetime of Buster.
>>
>> The benefits of doing this have also just been clearly demonstrated:
>> Upstream just released 3.2.0, adding new features as well as fixing
>> security issues affecting versions 3.1.0 and up, but because 3.1 is
>> under LTS support for their paid users, they also provided the security
>> patches backported to 3.1 (see the 3.2.0 release notes -
>> https://github.com/sylabs/singularity/releases/tag/v3.2.0 ).
>>
>> So I apologize for the large diff, but I think we'd be in much better
>> shape having this upstream version in Buster. Especially because of the
>> large diff, backporting patches to 3.0 without the help from upstream
>> that we'd get by using 3.1 would be unnecessarily more burdensome.
>>
>> many thanks for your time and consideration
>
> Your proposed changes very much do not align with the freeze policy, so
> you're asking for an exception for a new upstream release. This package
> is currently listed to be auto-removed due to docker.io, so I am not
> going to review it now. docker.io is a major concern for the
> security-team so that needs to be resolved first. If that gets resolved
> in a timely manner, i.e. before it is auto-removed, please ping this bug
> (e.g. by removing the moreinfo bug).
I've removed the moreinfo tag as docker.io was unblocked.
Ansgar
Reply to: