Control: tag -1 - moreinfo Paul Gevers writes: > On Wed, 15 May 2019 03:47:28 -0400 Afif Elghraoui <[email protected]> wrote: >> Please unblock package singularity-container/3.1.1+ds-1 >> >> This package is prone to security vulnerabilities. Upstream provides >> long-term support for selected versions to their paid users, but also >> releases all code changes (including backported security patches) to the >> community. >> >> Both 3.0.x and 3.1.x were released earlier this year and it was not >> known at the time which of these would be the LTS version. 3.0.3 is what >> I bet on and what is in Testing now, but it now turns out that I was >> wrong and it's actually 3.1. Using it would greatly facilitate our >> ability to provide support over the lifetime of Buster. >> >> The benefits of doing this have also just been clearly demonstrated: >> Upstream just released 3.2.0, adding new features as well as fixing >> security issues affecting versions 3.1.0 and up, but because 3.1 is >> under LTS support for their paid users, they also provided the security >> patches backported to 3.1 (see the 3.2.0 release notes - >> https://github.com/sylabs/singularity/releases/tag/v3.2.0 ). >> >> So I apologize for the large diff, but I think we'd be in much better >> shape having this upstream version in Buster. Especially because of the >> large diff, backporting patches to 3.0 without the help from upstream >> that we'd get by using 3.1 would be unnecessarily more burdensome. >> >> many thanks for your time and consideration > > Your proposed changes very much do not align with the freeze policy, so > you're asking for an exception for a new upstream release. This package > is currently listed to be auto-removed due to docker.io, so I am not > going to review it now. docker.io is a major concern for the > security-team so that needs to be resolved first. If that gets resolved > in a timely manner, i.e. before it is auto-removed, please ping this bug > (e.g. by removing the moreinfo bug).
I've removed the moreinfo tag as docker.io was unblocked. Ansgar
