https://rpki.exposed/ lists a long number of vulnerabilities affecting software in Debian stable: fort-validator, cfrpki, and rpki-client. (Not routinator, because it is an unpackagable mess of Rust.) (To make a long story short, RPKI is a way to digitally sign BGP routes and all network operators and IXPs are progressively deploying at least a couple of servers each to run the validators.) The RPKI ecosystem is very young, so this was hardly unexpected. While I did significant work trying to establish Debian as the go-to platform for deploying RPKI validators, at this point nobody will use the validators currently in Debian stable. It is not really practical to extract and backport all these patches, so I would like to know from the release managers if they would strongly consider an upload to stable of the current releases of these packages or if I should request instead that they are all removed from stable. Please Cc: me on replies. -- ciao, Marco
Attachment:
signature.asc
Description: PGP signature