Hi Andres, On 26-01-2022 08:00, Andres Salomon wrote:
Chromium has been updated in sid and bullseye, and I'm in the process of cleaning up the package further to make it easier to maintain. Chromium is currently blocked from entering testing. I'm not going to make any claims about the suitability of including chromium in the next bookworm release; that's a conversation to have in a year or so (and I'm in 100% complete agreement that it needs an active team behind it, given the large number of security updates).
Thus looping the security team into the discussion too. The removal from bookworm was on their request (with which I fully agreed).
However, it did occur to me that debian users who are running testing might still be running old insecure versions of chromium, and might not be aware that newer versions are in sid but not testing. I realize that testing doesn't get security support, but as someone who has used testing on his desktop in the past, I expected packages to at least get updated even with (sometimes significant) delays.
It is my honest believe that users of testing *have to* take care of checking their system for removed packages (but I know there will be plenty that don't). That's how testing works.
I don't have hard stats, and the popcon data doesn't show things by release, but looking at popcon graphs is worrisome. This seems to show around 27k chromium installs: https://qa.debian.org/popcon-graph.php?packages=chromium&show_installed=on&want_legend=on&want_ticks=on&from_date=2021-01-01&to_date=&hlght_date=&date_fmt=%25Y-%25m&beenhere=1 Meanwhile, this shows on the order of 10k active chromium users, and less than 6k popcon chromium users have upgraded the package in the past 30 days: https://qa.debian.org/popcon-graph.php?packages=chromium&show_vote=on&show_recent=on&want_legend=on&want_ticks=on&from_date=2021-01-01&to_date=&hlght_date=&date_fmt=%25Y-%25m&beenhere=1 Unfortunately there's no way to know how many of those users are running testing (only stable; around 42% of the package installs are from stable, and around 78% of the folks who upgraded are using stable, if I'm understanding the popcon raw data correctly). So, I'm proposing the following: we unblock chromium from testing, with the understanding that prior to bookworm's release, we have a discussion with the release team about whether chromium will be allowed in the stable release. This will allow testing users to upgrade for now, and then at bookworm freeze time we can figure out what will happen with chromium (and prepare the appropriate release notes if it will no longer be in stable/testing). What does the release team & others think of this?
Normally we remove stuff that we think is not going to be in the next stable release as early as we notice. However, in this case I acknowledge that you should have a chance to show you could be part of the team and attract more team members. If the security team agrees with the message this is sending, I propose the following. We create an RC bug against release.debian.org (to make sure this issue is not forgotten, but not directly blocks chromium) with an "Affects: chromium", that clearly states that we postpone the decision. The decision will depend on how chromium updates (both in sid and supported releases) are handled between now and approximately the freeze. If we do this, don't get me wrong, I'll kick chromium out of bookworm again if there's no good track record before we release.
PaulPS: yes, I'm occasionally using chromium myself, it's installed from unstable at this moment.
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature