unblocking chromium?

2022-01-25 Thread Andres Salomon 
Hi,

Chromium has been updated in sid and bullseye, and I'm in the process
of cleaning up the package further to make it easier to maintain.
Chromium is currently blocked from entering testing. I'm not going to
make any claims about the suitability of including chromium in the next
bookworm release; that's a conversation to have in a year or so (and
I'm in 100% complete agreement that it needs an active team behind it,
given the large number of security updates).

However, it did occur to me that debian users who are running testing
might still be running old insecure versions of chromium, and might not
be aware that newer versions are in sid but not testing. I realize that
testing doesn't get security support, but as someone who has used
testing on his desktop in the past, I expected packages to at least get
updated even with (sometimes significant) delays.

I don't have hard stats, and the popcon data doesn't show things by
release, but looking at popcon graphs is worrisome. This seems to show
around 27k chromium installs:
https://qa.debian.org/popcon-graph.php?packages=chromium_installed=on_legend=on_ticks=on_date=2021-01-01_date=_date=_fmt=%25Y-%25m=1
Meanwhile, this shows on the order of 10k active chromium users, and
less than 6k popcon chromium users have upgraded the package in the
past 30 days:
https://qa.debian.org/popcon-graph.php?packages=chromium_vote=on_recent=on_legend=on_ticks=on_date=2021-01-01_date=_date=_fmt=%25Y-%25m=1
Unfortunately there's no way to know how many of those users are
running testing (only stable; around 42% of the package installs are
from stable, and around 78% of the folks who upgraded are using stable,
if I'm understanding the popcon raw data correctly).

So, I'm proposing the following: we unblock chromium from
testing, with the understanding that prior to bookworm's release, we
have a discussion with the release team about whether chromium will
be allowed in the stable release. This will allow testing users to
upgrade for now, and then at bookworm freeze time we can figure out what
will happen with chromium (and prepare the appropriate release notes if
it will no longer be in stable/testing). What does the release team &
others think of this?

Thanks,
Andres

Bug#1002298: bullseye-pu: package clamav/0.103.4+dfsg-0+deb11u1

2022-01-25 Thread Sebastian Andrzej Siewior 
On 2022-01-25 18:46:16 [+], Adam D. Barratt wrote:
> For the record, .5 was released via {buster,bullseye}-updates last
> night; see SUA211-1 / 
> https://lists.debian.org/debian-stable-announce/2022/01/msg1.html

Thank you.

> Regards,
> 
> Adam

Sebastian

Bug#1002298: bullseye-pu: package clamav/0.103.4+dfsg-0+deb11u1

2022-01-25 Thread Adam D. Barratt 
On Sun, 2022-01-16 at 19:09 +, Adam D. Barratt wrote:
> On Fri, 2022-01-14 at 21:51 +0100, Sebastian Andrzej Siewior wrote:
> > > Speaking of latest patch version: Upstream released today .5.
> > > Would
> > > you
> > > prefer to wait with this until I upload .5 to unstable and
> > > stable/oldstable for this (and avoiding a second announcement)?
> > 
> > I assume a direct update to .5 is preferred so I attached it here.
> > Regarding the wording: in [0] upstream says that they are going to
> > block 0.102 and earlier from database updates so we should be good.
> > That means they did not mention to block previous 0.103 releases so
> > there is probably no need to add stronger wording as I suggested.
> > The NEWS file mentions a CVE which looks harmless in typical mail
> > server setup since it requires an additional option for scanning.
> > 
> > I have it in unstable since the 12th and deployed the Buster
> > version
> > on a server and had the regular testing for Bullseye.
> 
> Sorry, things have been a little hectic recently.
> 
> Updating to .5 seems to make sense for everyone; thanks.
> 

For the record, .5 was released via {buster,bullseye}-updates last
night; see SUA211-1 / 
https://lists.debian.org/debian-stable-announce/2022/01/msg1.html

Regards,

Adam