Control: tags -1 moreinfo On 2025-05-24 22:52:03 +0100, Samuel Henrique wrote: > Package: release.debian.org > Control: affects -1 + src:curl > X-Debbugs-Cc: [email protected] > User: [email protected] > Usertags: unblock > Severity: normal > > Please unblock package curl > > [ Reason ] > > curl 8.14.0 contains refactored code which will make it harder to maintain > 8.13.0 (patch backporting complexity), for this reason, I would like to ship > 8.14.0 in trixie. > > We (the curl maintainers) have been fixing every curl CVE for stable and > oldstable since a few years. I'm afraid that shipping 8.13.0 will make it more > difficult to keep doing that due to the refactors in 8.14.0.
Security, what's your take on this? > [ Impact ] > > If this is not accepted: > > * Higher chances of causing breakages when backporting CVE fixes. > > * Higher chances of not fixing a CVE due to the backporting risks. > > [ Tests ] > > The RC releases for 8.14.0 have been in experimental since 2025-05-02 and no > issues were ever spotted, our debci coverage is very good and we tend to > report > more than one issue per release, so this is a very good sign. > > [ Risks ] > > There are a lot of changes, mostly due to the refactor, but both the Debian > curl maintainers and upstream are very active, I'm confident we can fix any > issues spotted. > > I don't generally get concerned about breakages with curl releases, since we > can easily spot them on debci and upstream is very quick to fix them. The main > risk left is that of behavior changes, but when they happen, they are small > and > it should be fine to have them before trixie is released. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [] attach debdiff against the package in testing Please provide the debdiff with what you intend for trixie. Cheers -- Sebastian Ramacher
