control: tags -1 - moreinfo Sebastian Ramacher <sramac...@debian.org> writes:
> On 2023-01-24 17:17:36 +0100, Ferenc Wágner wrote: > >> Package: release.debian.org >> Severity: normal >> User: release.debian....@packages.debian.org >> Usertags: transition >> >> When reporting #1028286 (transition: xml-security-c) I totally missed >> that one of the mentioned planned upper layer uploads is the >> shibboleth-sp 3.3 -> 3.4 upgrade, which, contrary to the xml-security-c >> transition, actually entails an SONAME change. Since this wasn't >> explicit in the original bug, we decided to ask for your ACK again. >> As you can see in the autogenerated tracker at >> https://release.debian.org/transitions/html/auto-shibboleth-sp.html, >> there are only two reverse dependencies, both of which are internal to >> the Shibboleth ecosystem (thus maintained by us) and both build without >> changes against shibboleth-sp 3.4.1+dfsg-1. > > What would be the consequences of postponing this transition to trixie? There are no significant functional changes in this transition. Our main reason for proposing it is to ship bookworm with the "current stable release" as much as possible, because upstream provides security support for the latest two stable releases only [1], and Shibboleth, being security software, heavily depends on being patched in a timely manner to stay useful. While upstream actively works with us on preparing updates during the embargo periods, this may not be enough if we have to backport the fixes ourselves, so we strive to minimize such exposure. Since this transition affects only two packages, which we need to rebuild anyway, we'd welcome the additional safety this upgrade would mean in providing security support for bookworm. [1] https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/1134625008/ProductVersioning -- Best regards, Feri.