On Fri, May 30, 2025 at 12:32:56PM -0700, Chris Lamb wrote: >... > Please unblock redis for trixie. >... > Otherwise we are shipping a rather old version of the server (7.0.15) > that upstream will have absolutely no interest in supporting over the > lifetime that we want to support it, and it will make the inevitable > security backports arduous for us as well.
Shipping 8.0 in trixie would actually cause really arduous security support. Right now Redis and Valkey are relatively similar codebases, and have the same licence. In trixie both will usually require fixes for the same CVEs. > A new way of managing the client's state within the server's codebase > exacerbates this problem, making fairly trivial changes to the code > difficult to reason about at times. Arduous is not be that code would diverge. I did the last 3 rounds of Redis security fixes for all releases from bookworm to jessie, and backporting security fixes was not particularly difficult. Arduous for security support would be that due to the Redis licence changes Redis/trixie would have licences (AGPL and others) different from both Redis/bookworm (BSD) and Valkey/trixie (BSD). Easiest for security support would be keeping Redis/trixie with identical licence (and with a closer codebase) to Valkey, and then treat Valkey as upstream for Redis/trixie security support. >From March 2024 until May 2025 the latest Redis version was available only under non-free licences, in time for forky we might see whether the corporate backers of Valkey[1] and the ecosystem will move back to Redis, or whether Valkey will be the one that stays, or whether both Redis and Valkey will stay popular. > (In fact, I'm actually already > encountering this issue: a new CVE landed a few hours ago, and I can > already sense that backporting it to the 7.0.15 version will be a pain.) >... I already looked at CVE-2025-27151 on Thursday, it should be trivial to fix and I can submit that for trixie together with my fix for CVE-2025-21605 (the latter was in unstable before). > Regards, cu Adrian [1] https://valkey.io/participants/
