Bug#1106486: pre-approval/unblock: curl/8.14.0-1
Control: tags -1 moreinfo
On 2025-05-24 22:52:03 +0100, Samuel Henrique wrote:
> Package: release.debian.org
> Control: affects -1 + src:curl
> X-Debbugs-Cc: curl@packages.debian.org
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> Severity: normal
>
> Please unblock package curl
>
> [ Reason ]
>
> curl 8.14.0 contains refactored code which will make it harder to maintain
> 8.13.0 (patch backporting complexity), for this reason, I would like to ship
> 8.14.0 in trixie.
>
> We (the curl maintainers) have been fixing every curl CVE for stable and
> oldstable since a few years. I'm afraid that shipping 8.13.0 will make it more
> difficult to keep doing that due to the refactors in 8.14.0.
Security, what's your take on this?
> [ Impact ]
>
> If this is not accepted:
>
> * Higher chances of causing breakages when backporting CVE fixes.
>
> * Higher chances of not fixing a CVE due to the backporting risks.
>
> [ Tests ]
>
> The RC releases for 8.14.0 have been in experimental since 2025-05-02 and no
> issues were ever spotted, our debci coverage is very good and we tend to report
> more than one issue per release, so this is a very good sign.
>
> [ Risks ]
>
> There are a lot of changes, mostly due to the refactor, but both the Debian
> curl maintainers and upstream are very active, I'm confident we can fix any
> issues spotted.
>
> I don't generally get concerned about breakages with curl releases, since we
> can easily spot them on debci and upstream is very quick to fix them. The main
> risk left is that of behavior changes, but when they happen, they are small and
> it should be fine to have them before trixie is released.
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [] attach debdiff against the package in testing
Please provide the debdiff with what you intend for trixie.
Cheers
--
Sebastian Ramacher
Reply to: