On Sun, May 31, 2026 at 06:08:22PM -0400, Thomas Ward wrote: >... > [ Risks ] > If someone using Trixie wants to use DHE ciphers for TLS 1.2 and such, > those are no longer available. > > Version 1.3 of nginx-snippets uses an April 2026-era updated set of > TLS Guidance from Mozilla. DHE ciphers (but not ECDHE and PQ ciphers) > were removed from the 'Intermediate' cipher sets. >...
Many users will automatically install updates on their machines, ranging from production servers to a laptop installed by the Debian-geek family member who is not always present. Chances are that an automated upgrade with such a change will break something somewhere for someone, on stable. >... > [ Impact ] > Users who wish to enable post-quantum resilient curves run into the > snippets provided by nginx-snippets removing PQ curves. > > While not directly a 'security' issue as currently define by the > industry, it poses a concern if someone needs PQ resilience. >... trixie is 2024 software, and might lack features that are desirable in 2026. That is a choice everyone using Debian stable has made. Backports is the right place for giving users the option to pick a specific package from the next stable release if they need some specific newer functionality. cu Adrian
