Vincent Bernat schreef op 2022-08-04 12:14:
On 2022-08-04 10:35, William Edwards wrote:
However,
https://haproxy.debian.net/#distribution=Debian&release=buster&version=2.2
says:
"The Debian HAProxy packaging team provides various versions of
HAProxy packages for use on different Debian or Ubuntu systems. The
following wizard helps you to find the package suitable for your
system. [...] You will get a stable release of HAProxy 2.2: you may
not get the latest version but important fixes from later versions are
included. Moreover, regressions are unlikely."
The bugs page tries to get users to ALWAYS use the latest version. But
the haproxy.debian.org page says that it's okay not to use the latest
version.
That's two different point of views, one from Debian, one from
upstream. They are difficult to reconcile. That's why you (as a user)
have to choose: an old version with only "important" fixes (security
fixes mostly) and with known bugs but unlikely regressions on upgrade,
or a recent version of a stable branch with fixes and sometimes
regressions.
Upstream is unlikely to help debug old versions. The Debian solution
is to report the issue on bugs.debian.org, but this does not scale
well and I am likely to just ignore the bug because I am too short on
time.
The statement on the HAProxy bugs page implies that there is only one
right way. That same website refers to haproxy.debian.org, which
contradicts the former. I understand that the points of view are
difficult to reconcile. I do not think that -when the user is actively
pointed towards both sources- they should contradict each other,
however.
If 2.2.9 as in official Debian repository does not work for you,
the easiest path is to upgrade to 2.2.25 using the second set of
instructions.
I found this bug[1] on the bugs page which looks promising. I'll do
some more investigation today. Perhaps someone could corroborate that
that bug's symptoms match what I'm seeing.
Note that if this patch fixes this bug, this is a lot of work to
integrate it into the current release of Debian. This will have to
wait for the next point release (not a security issue), I would need
to ask people to authorize the patch, explain, ask again, prepare,
upload, then upload the backports until you get the resulting package
available as 2.2.9-2+deb11u4~bpo10+1. Backporting a random patch may
trigger regressions as it may need other patches to be backported.
This is a nest of problems. So, if this patch solves your issue, you
are on your own maintaining a fork of the package.
The commit mentioned in the patch (eddcfbc1911c when backported) is
introduced in 2.2.23, so it's likely not the patch you need or you
need other patches as well.
According to http://www.haproxy.org/bugs, 2.2.9 is affected by the
bug[1]. However, the changelog[2] only shows the causing commit
("BUG/MEDIUM: mux-h2: make use of http-request and keep-alive timeouts")
to be included in 2.2.23. How could 2.2.9 be affected by a bug which was
introduced by a commit that is included in 2.2.23?
[1]: http://git.haproxy.org/?p=haproxy-2.2.git;a=commitdiff;h=3e2434e
[2]: http://git.haproxy.org/?p=haproxy-2.2.git;a=blob_plain;f=CHANGELOG
--
With kind regards,
William Edwards
