Bug#1106486: pre-approval/unblock: curl/8.14.0-1
Hi Sebastian,
On Mon, May 26, 2025 at 10:54:43PM +0200, Sebastian Ramacher wrote:
> Control: tags -1 moreinfo
>
> On 2025-05-24 22:52:03 +0100, Samuel Henrique wrote:
> > Package: release.debian.org
> > Control: affects -1 + src:curl
> > X-Debbugs-Cc: curl@packages.debian.org
> > User: release.debian.org@packages.debian.org
> > Usertags: unblock
> > Severity: normal
> >
> > Please unblock package curl
> >
> > [ Reason ]
> >
> > curl 8.14.0 contains refactored code which will make it harder to maintain
> > 8.13.0 (patch backporting complexity), for this reason, I would like to ship
> > 8.14.0 in trixie.
> >
> > We (the curl maintainers) have been fixing every curl CVE for stable and
> > oldstable since a few years. I'm afraid that shipping 8.13.0 will make it more
> > difficult to keep doing that due to the refactors in 8.14.0.
>
> Security, what's your take on this?
First I can defintively confirm that the curl maintainers are tracking
well all the CVEs, while most were not warranting a DSA they got fixed
in subsequent point releases:
https://security-tracker.debian.org/tracker/source-package/curl shows
the result nicely.
While I have not explicitly looked at the refactoring mentioned in
8.13.0 -> 8.14.0 I have to trust Samuel judgment here that they may
have an impat on backporting fixes (which holds then as well though as
argument that backporting fixes to bookworm/oldstable will become more
difficult).
If the curl maintainers are confident that 8.14.0 is in a good shape
for trixie, then I would suggest to follow their take to ship trixie
with 8.14.0.
But again that said, I can only comment on how I observe their work
with respect of fixing security issues in stable, which is a good
track record.
Regards,
Salvatore
Reply to: