Bug#929011: unblock: singularity-container/3.1.1+ds-1

To: Paul Gevers <elbrus@debian.org>, 929011@bugs.debian.org
Cc: Afif Elghraoui <afif@debian.org>, Debian Security Team <team@security.debian.org>
Subject: Bug#929011: unblock: singularity-container/3.1.1+ds-1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 25 Jun 2019 22:16:17 +0200
Message-id: <[🔎] 20190625201617.GA26177@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 929011@bugs.debian.org
In-reply-to: <[🔎] c0b1c4a4-a59c-4ae6-2e4d-584abf3683ca@debian.org>
References: <431af70b-2627-be10-4d6f-70fce9891cd9@debian.org> <431af70b-2627-be10-4d6f-70fce9891cd9@debian.org> <431af70b-2627-be10-4d6f-70fce9891cd9@debian.org> <[🔎] c0b1c4a4-a59c-4ae6-2e4d-584abf3683ca@debian.org> <431af70b-2627-be10-4d6f-70fce9891cd9@debian.org>

Hi Paul, hi Afif,

On Sat, Jun 08, 2019 at 09:26:06PM +0200, Paul Gevers wrote:
> Control: tags -1 moreinfo
> 
> Hi Afif,
> 
> On Wed, 15 May 2019 03:47:28 -0400 Afif Elghraoui <afif@debian.org> wrote:
> > Please unblock package singularity-container/3.1.1+ds-1
> > 
> > This package is prone to security vulnerabilities. Upstream provides
> > long-term support for selected versions to their paid users, but also
> > releases all code changes (including backported security patches) to the
> > community.
> > 
> > Both 3.0.x and 3.1.x were released earlier this year and it was not
> > known at the time which of these would be the LTS version. 3.0.3 is what
> > I bet on and what is in Testing now, but it now turns out that I was
> > wrong and it's actually 3.1. Using it would greatly facilitate our
> > ability to provide support over the lifetime of Buster.
> > 
> > The benefits of doing this have also just been clearly demonstrated:
> > Upstream just released 3.2.0, adding new features as well as fixing
> > security issues affecting versions 3.1.0 and up, but because 3.1 is
> > under LTS support for their paid users, they also provided the security
> > patches backported to 3.1 (see the 3.2.0 release notes -
> > https://github.com/sylabs/singularity/releases/tag/v3.2.0 ).
> > 
> > So I apologize for the large diff, but I think we'd be in much better
> > shape having this upstream version in Buster. Especially because of the
> > large diff, backporting patches to 3.0 without the help from upstream
> > that we'd get by using 3.1 would be unnecessarily more burdensome.
> > 
> > many thanks for your time and consideration
> 
> Your proposed changes very much do not align with the freeze policy, so
> you're asking for an exception for a new upstream release. This package
> is currently listed to be auto-removed due to docker.io, so I am not
> going to review it now. docker.io is a major concern for the
> security-team so that needs to be resolved first. If that gets resolved
> in a timely manner, i.e. before it is auto-removed, please ping this bug
> (e.g. by removing the moreinfo bug).

I do agree that the changes are not really reviewable given the size
of the diff. But with Afifs argument and now the package not beeing
marked as autoremoved: if we want to support singularity-container
security wise in buster we would need to bite into the apple and
accept this late new version bump for buster as the 3.1 version.

So I think the two options we have is (in order of preference): 1.
unblock singularity-container and let the 3.1 based version in to
buster, or 2. remove singularity-container from buster.

Cc'in team@s.d.o for further comments.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#929011: unblock: singularity-container/3.1.1+ds-1
  - From: Afif Elghraoui <afif@debian.org>

References:
- Bug#929011: unblock: singularity-container/3.1.1+ds-1
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: Bug#931086: bro/2.5.5-1+deb10u1 buster upload?
Next by Date: Processed: Re: Bug#929011: unblock: singularity-container/3.1.1+ds-1
Previous by thread: Processed: Re: unblock: singularity-container/3.1.1+ds-1
Next by thread: Bug#929011: unblock: singularity-container/3.1.1+ds-1
Index(es):
- Date
- Thread