Bug#1004441: unblocking chromium?
Control: close 1004441 Hi, On 10-01-2023 21:05, Moritz Mühlenhoff wrote: Sounds good! Can you add a README.Debian.security to the next unstable uploads which briefly documents that? When bookworm has been released we can also add a note to Chromium DSAs to give folks a headsup. So, it sounds like we agree that chromium can be part of bookworm from security point of view. Closing the bug that reminded us to take that decision. Paul OpenPGP_signature Description: OpenPGP digital signature
Processed: Re: Bug#1004441: unblocking chromium?
Processing control commands: > close 1004441 Bug #1004441 [release.debian.org] Chromium: decide before the freeze if it can be part of bookworm Marked Bug as done -- 1004441: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004441 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1004441: unblocking chromium?
Am Sun, Jan 08, 2023 at 12:27:52AM -0500 schrieb Andres Salomon: > > On Fri, Jan 6 2023 at 11:36:02 AM +0200, Adrian Bunk > wrote: > > On Fri, Jan 06, 2023 at 10:18:16AM +0100, Moritz Muehlenhoff wrote: > > > ... > > > We might consider to set some expectation for oldstable-security, > > > though e.g state that > > > oldstable-security updates stop three months after the release of > > > stable or so. > > > > > > Yeah, I like that idea. I think I could comfortably handle about 6 months of > dual security support (stable+oldstable), personally. Sounds good! Can you add a README.Debian.security to the next unstable uploads which briefly documents that? When bookworm has been released we can also add a note to Chromium DSAs to give folks a headsup. Cheers, Moritz
Bug#1004441: unblocking chromium?
On Fri, Jan 6 2023 at 11:36:02 AM +0200, Adrian Bunk wrote: On Fri, Jan 06, 2023 at 10:18:16AM +0100, Moritz Muehlenhoff wrote: ... We might consider to set some expectation for oldstable-security, though e.g state that oldstable-security updates stop three months after the release of stable or so. Yeah, I like that idea. I think I could comfortably handle about 6 months of dual security support (stable+oldstable), personally. Chromium is very fast-paced in toolchain changes (e.g. in the past new C++ features become incompatible with GCC and we might see something similar with LLVM (which is used these days) as well. New LLVM versions are already added annually to *stable for Firefox, even in LTS (which got LLVM 13 last autumn in addition to 6, 7 and 11). The LLVM updates have been very helpful for chromium bullseye support.
Bug#1004441: unblocking chromium?
On Fri, Jan 06, 2023 at 10:18:16AM +0100, Moritz Muehlenhoff wrote: >... > We might consider to set some expectation for oldstable-security, though e.g > state that > oldstable-security updates stop three months after the release of stable or > so. > > Chromium is very fast-paced in toolchain changes (e.g. in the past new C++ > features > become incompatible with GCC and we might see something similar with LLVM > (which > is used these days) as well. New LLVM versions are already added annually to *stable for Firefox, even in LTS (which got LLVM 13 last autumn in addition to 6, 7 and 11). > Cheers, > Moritz cu Adrian
Bug#1004441: unblocking chromium?
On Fri, Jan 06, 2023 at 08:41:50AM +0100, Paul Gevers wrote: > Dear Chromium team, Security team, > > On 27-01-2022 17:15, Moritz Muehlenhoff wrote: > > On Wed, Jan 26, 2022 at 09:38:42PM +0100, Paul Gevers wrote: > > > > So, I'm proposing the following: we unblock chromium from > > > > testing, with the understanding that prior to bookworm's release, we > > > > have a discussion with the release team about whether chromium will > > > > be allowed in the stable release. This will allow testing users to > > > > upgrade for now, and then at bookworm freeze time we can figure out what > > > > will happen with chromium (and prepare the appropriate release notes if > > > > it will no longer be in stable/testing). What does the release team & > > > > others think of this? > > > > Sounds good! > > > > > If the security team agrees with the message this is sending, > > > I propose the following. We create an RC bug against release.debian.org > > > (to > > > make sure this issue is not forgotten, but not directly blocks chromium) > > > with an "Affects: chromium", that clearly states that we postpone the > > > decision. The decision will depend on how chromium updates (both in sid > > > and > > > supported releases) are handled between now and approximately the freeze. > > > If > > > we do this, don't get me wrong, I'll kick chromium out of bookworm again > > > if > > > there's no good track record before we release. > > > > Sounds good! > > It's about time we start discussing this. In your opinion, did the Chromium > Team show enough track record to warrant chromium in bookworm during its > stable cycle? From the raw number of uploads my first impression is yes, but > I have no idea of the quality, how the communication went and those kind of > details. Andres's work has been top notch and it seems recently someone else has joined the effort as well, so if they are up for continuing with Chromium's pace, that's perfectly fine to continue to do so for bookworm. We might consider to set some expectation for oldstable-security, though e.g state that oldstable-security updates stop three months after the release of stable or so. Chromium is very fast-paced in toolchain changes (e.g. in the past new C++ features become incompatible with GCC and we might see something similar with LLVM (which is used these days) as well. Cheers, Moritz
Bug#1004441: unblocking chromium?
Dear Chromium team, Security team, On 27-01-2022 17:15, Moritz Muehlenhoff wrote: On Wed, Jan 26, 2022 at 09:38:42PM +0100, Paul Gevers wrote: So, I'm proposing the following: we unblock chromium from testing, with the understanding that prior to bookworm's release, we have a discussion with the release team about whether chromium will be allowed in the stable release. This will allow testing users to upgrade for now, and then at bookworm freeze time we can figure out what will happen with chromium (and prepare the appropriate release notes if it will no longer be in stable/testing). What does the release team & others think of this? Sounds good! If the security team agrees with the message this is sending, I propose the following. We create an RC bug against release.debian.org (to make sure this issue is not forgotten, but not directly blocks chromium) with an "Affects: chromium", that clearly states that we postpone the decision. The decision will depend on how chromium updates (both in sid and supported releases) are handled between now and approximately the freeze. If we do this, don't get me wrong, I'll kick chromium out of bookworm again if there's no good track record before we release. Sounds good! It's about time we start discussing this. In your opinion, did the Chromium Team show enough track record to warrant chromium in bookworm during its stable cycle? From the raw number of uploads my first impression is yes, but I have no idea of the quality, how the communication went and those kind of details. Paul OpenPGP_signature Description: OpenPGP digital signature