Bug#1106871: unblock: redis/5:8.0.0-2

To: Chris Lamb <lamby@debian.org>, 1106871@bugs.debian.org, security@debian.org
Subject: Bug#1106871: unblock: redis/5:8.0.0-2
From: Adrian Bunk <bunk@debian.org>
Date: Sat, 31 May 2025 01:09:39 +0300
Message-id: <aDosoxHiyuUN/6yg@localhost>
Reply-to: Adrian Bunk <bunk@debian.org>, 1106871@bugs.debian.org
In-reply-to: <[🔎] a66e0ac0-9155-44c2-9608-3dddcf2f13e7@app.fastmail.com>
References: <[🔎] a66e0ac0-9155-44c2-9608-3dddcf2f13e7@app.fastmail.com> <[🔎] a66e0ac0-9155-44c2-9608-3dddcf2f13e7@app.fastmail.com>

On Fri, May 30, 2025 at 12:32:56PM -0700, Chris Lamb wrote:
>...
> Please unblock redis for trixie.
>...
> Otherwise we are shipping a rather old version of the server (7.0.15)
> that upstream will have absolutely no interest in supporting over the
> lifetime that we want to support it, and it will make the inevitable
> security backports arduous for us as well.

Shipping 8.0 in trixie would actually cause really arduous security support.

Right now Redis and Valkey are relatively similar codebases,
and have the same licence.

In trixie both will usually require fixes for the same CVEs.

> A new way of managing the client's state within the server's codebase
> exacerbates this problem, making fairly trivial changes to the code
> difficult to reason about at times.

Arduous is not be that code would diverge.

I did the last 3 rounds of Redis security fixes for all releases from
bookworm to jessie, and backporting security fixes was not particularly 
difficult.

Arduous for security support would be that due to the Redis licence 
changes Redis/trixie would have licences (AGPL and others) different 
from both Redis/bookworm (BSD) and Valkey/trixie (BSD).

Easiest for security support would be keeping Redis/trixie with 
identical licence (and with a closer codebase) to Valkey, and
then treat Valkey as upstream for Redis/trixie security support.

>From March 2024 until May 2025 the latest Redis version was available 
only under non-free licences, in time for forky we might see whether
the corporate backers of Valkey[1] and the ecosystem will move back to 
Redis, or whether Valkey will be the one that stays, or whether both 
Redis and Valkey will stay popular.

> (In fact, I'm actually already
> encountering this issue: a new CVE landed a few hours ago, and I can
> already sense that backporting it to the 7.0.15 version will be a pain.)
>...

I already looked at CVE-2025-27151 on Thursday, it should be trivial
to fix and I can submit that for trixie together with my fix for 
CVE-2025-21605 (the latter was in unstable before).

> Regards,

cu
Adrian

[1] https://valkey.io/participants/

Reply to:

Follow-Ups:
- Bug#1106871: unblock: redis/5:8.0.0-2
  - From: "Chris Lamb" <lamby@debian.org>

References:
- Bug#1106871: unblock: redis/5:8.0.0-2
  - From: "Chris Lamb" <lamby@debian.org>

Prev by Date: Bug#1106163: unblock: falkon/25.04.1-1
Next by Date: Bug#1106163: marked as done (unblock: falkon/25.04.1-1)
Previous by thread: Bug#1106871: unblock: redis/5:8.0.0-2
Next by thread: Bug#1106871: unblock: redis/5:8.0.0-2
Index(es):
- Date
- Thread