Bug#687916: unblock: zabbix/1:2.0.2+dfsg-4
On Mon, Oct 1, 2012 at 20:07:07 +0200, Moritz Mühlenhoff wrote: For stable-security backporting security issues wasn't feasible due to a lack of continued upstream support for 1.8.x and invasive/complex changes. This shouldn't happen again. If there's no commitment from upstream to support a long term branch it should rather be removed from testing. Dmitry, is there such a commitment for 2.0.x for wheezy's lifetime? Cheers, Julien signature.asc Description: Digital signature
Bug#687916: unblock: zabbix/1:2.0.2+dfsg-4
Hi Julien, On Sun, 9 Dec 2012 00:45:28 Julien Cristau wrote: On Mon, Oct 1, 2012 at 20:07:07 +0200, Moritz Mühlenhoff wrote: For stable-security backporting security issues wasn't feasible due to a lack of continued upstream support for 1.8.x and invasive/complex changes. This shouldn't happen again. If there's no commitment from upstream to support a long term branch it should rather be removed from testing. Dmitry, is there such a commitment for 2.0.x for wheezy's lifetime? Yes, I believe there is but I'm not sure how to support it with evidence. First of all I feel that Moritz' statement regarding upstream support for 1.8.x may be a bit inaccurate. As you can see from http://www.zabbix.com/rn2.0.4.php last released Zabbix 1.8.15 was published on 2012-08-20 so I'm not sure if we can already declare lack of continued upstream support for 1.8.x. Just today I was looking into old CVEs to close in stable as per discussion in #683273. I found that whenever CVE was reported to upstream using bug tracker they commit corresponding fix into dedicated branch that later got merged into trunk and 1.8 branches so it's not that difficult to isolate the changes. Of course when upstream applied security fix to version 1.8.11 it may be not too easy to backport it to 1.8.2 but I suspect this problem is not unique to Zabbix. I have very limited experience with security fixes in Zabbix (and in Debian in general) so please don't take my words as granted without feedback from Christoph and Moritz who are far more experienced that I am. However to put this situation to proper context I'd like to mention mysql- workbench package (maintained by yours truly) where upstream doesn't have public VCS at all. Backporting fixes is only possible by reverse-engineering new tarballs releases by comparing huge changesets and trying to make sense of changes. To make matters worse upstream is not updating changelog accurate enough so you can imagine the challenges. I believe Zabbix is much better in that regards. We can't be sure how well Zabbix will be supporting 1.8.x in the future. Obviously they've switched focus to Zabbix 2.0.x and that makes it better for us to upgrade to 2.0. While we can't be sure regarding future support for 1.8 and backporting fixes was proven to be challenging (according to feedback from Christoph and Moritz) I think we're all agree that 1.8 is better to be removed from testing to minimise the risks and the maintenance burden. (I think at the moment security fixes are applied to 2.0 first, so even the delay before fix will be applicable to 1.8 is bad enough.) Personally I hope that unblocking 2.0 may be considered as current version in unstable was remarkably free of troubles but that's just my inexperienced opinion. I think Christoph is quite excited about the idea of maintaining Zabbix in backports so the tough decision regarding Zabbix' destiny in Debian is with you. :) Thank you. Regards, Dmitry. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201212090141.46740.only...@member.fsf.org
Re: Bug#687916: unblock: zabbix/1:2.0.2+dfsg-4
Dmitry Smirnov only...@member.fsf.org schrieb: --nextPart3575724.xime2j9Qld Content-Type: Text/Plain; charset=windows-1251 Content-Transfer-Encoding: quoted-printable On Sun, 30 Sep 2012 06:07:18 Julien Cristau wrote: At this point my preference would go towards removing zabbix from wheezy. The new version was uploaded too late for the freeze, and if nobody's fixing 1.8 then there's no point shipping that. It is true that 1.8 have problems that we already fixed in 2.0. So it comes down to the question is 2.0 good enough to replace 1.8. Removing Zabbix 1.8 feels like punishing for my poor timing.=20 (Personally I have a pretty good excuse for it). Yes 2.0 was uploaded late, but it is done well. Now it is 45 days without new bugs. I don't want to see Zabbix removed and this won't help our relationships=20 with upstream. I was not involved to 1.8 maintenance and therefore it is a bit challenging= =20 for me to get into it quick enough. Looking after both versions is more difficult but I'll see what I can do. Meanwhile I'd like to discuss pros and cons of replacing 1.8 with 2.0 pleas= e. For stable-security backporting security issues wasn't feasible due to a lack of continued upstream support for 1.8.x and invasive/complex changes. This shouldn't happen again. If there's no commitment from upstream to support a long term branch it should rather be removed from testing. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnk6jmub.5ur@inutil.org
Bug#687916: unblock: zabbix/1:2.0.2+dfsg-4
On Mon, Sep 17, 2012 at 14:18:26 +1000, Dmitry Smirnov wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Dear release team, I seek your advise regarding the possibility for unblocking package 'zabbix'. This is a major upgrade, not compliant with freeze policy and there were great many changes [1] (and bugfixes) yet I believe we might have a strategic benefits from allowing new version to Wheezy mostly from security prospective. Security team expressed their concerns in #679801 http://bugs.debian.org/679801 At the moment current version in testing (zabbix/1:1.8.11-1+b1) is affected by #683273 (security) and possibly some other security issues not to mention number of bugs fixed in unstable. Also unblocking will be a relief for future maintenance. Please note that zabbix/1:2.0.2+dfsg-4 was in unstable for 33 days with no new bugs reported. Generally user's feedback for version 2 was quite positive and we already have few backporting requests. At this point my preference would go towards removing zabbix from wheezy. The new version was uploaded too late for the freeze, and if nobody's fixing 1.8 then there's no point shipping that. Cheers, Julien signature.asc Description: Digital signature
Bug#687916: unblock: zabbix/1:2.0.2+dfsg-4
On Sun, 30 Sep 2012 06:07:18 Julien Cristau wrote: At this point my preference would go towards removing zabbix from wheezy. The new version was uploaded too late for the freeze, and if nobody's fixing 1.8 then there's no point shipping that. It is true that 1.8 have problems that we already fixed in 2.0. So it comes down to the question is 2.0 good enough to replace 1.8. Removing Zabbix 1.8 feels like punishing for my poor timing. (Personally I have a pretty good excuse for it). Yes 2.0 was uploaded late, but it is done well. Now it is 45 days without new bugs. I don't want to see Zabbix removed and this won't help our relationships with upstream. I was not involved to 1.8 maintenance and therefore it is a bit challenging for me to get into it quick enough. Looking after both versions is more difficult but I'll see what I can do. Meanwhile I'd like to discuss pros and cons of replacing 1.8 with 2.0 please. Regards, Dmitry. signature.asc Description: This is a digitally signed message part.