Re: Match ecosystems with limited support in debian-security-support
Hello Moritz, On Fri, 16 Apr 2021, Moritz Mühlenhoff wrote: > > These source package sets comes to mind: > > - node-* > > That would be super-noisy and will potentially clash with a lot of local > package state. Do you consider it noisy due to the possible clash with local packages? Or are both concerns unrelated? I agree that it would not be good to report local packages as unsupported and we should likely find a way to avoid this. But if you assume that this can be fixed, what is the concern? The purpose of this package is to inform users of unsupported packages that they have installed and it doesn't seem right to not report anything when they have such packages. If the concern is that the list of nose-* packages will shadow the list of more important packages that are unsupported, maybe we can tweak the output to list them in a single entry like "node-* (X packages concerned)". What do you think of this suggestion? Cheers, -- ⢀⣴⠾⠻⢶⣦⠀ Raphaël Hertzog ⣾⠁⢠⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋The Debian Handbook: https://debian-handbook.info/get/ ⠈⠳⣄ Debian Long Term Support: https://deb.li/LTS
Re: Match ecosystems with limited support in debian-security-support
Am Sat, Apr 17, 2021 at 05:42:11PM +0200 schrieb Sylvain Beucler: > Hi, > > On 17/04/2021 14:44, Holger Levsen wrote: > > On Fri, Apr 16, 2021 at 03:47:49PM +0200, Moritz Mühlenhoff wrote: > > > > These source package sets comes to mind: > > > > - node-* > > > That would be super-noisy and will potentially clash with a lot of local > > > package state. I won't hurt to patch debian-security-support to support > > > such globbing, but let's not include that into the default data sets. > > > > right. or let's at least first see how this plays out in practice before > > putting it into a stable release... > > What approach would you suggest to make users aware that such packages do > not have security support, through default 'check-security-support'? It's already in the release notes. These need to be read anyway, since it covers many more aspects relevant to the release. Cheers, Moritz
Re: Match ecosystems with limited support in debian-security-support
Hi, On 17/04/2021 21:29, Holger Levsen wrote: On Sat, Apr 17, 2021 at 05:42:11PM +0200, Sylvain Beucler wrote: stretch however doesn't report the 3 packages I mentioned in my initial mail. Should we fix it now? because the packages are not listed in sec-support.ended9? if so, sure, please add them, first to the master branch and then cherry pick those into the stretch branch. (and probably buster too). No, the packages are listed but are mistakenly ignored due to the flawed version-based checks, see point 2 in: https://lists.debian.org/debian-lts/2021/04/msg00028.html To put it another way: should we apply https://salsa.debian.org/debian/debian-security-support/-/merge_requests/9 in stretch? Cheers! Sylvain
Re: Match ecosystems with limited support in debian-security-support
On Sat, Apr 17, 2021 at 05:42:11PM +0200, Sylvain Beucler wrote: > What approach would you suggest to make users aware that such packages do > not have security support, through default 'check-security-support'? that's a tricky question, I'll pass for now... however I want to respond to the other part of the mail: > stretch however doesn't report the 3 packages I mentioned in my initial > mail. Should we fix it now? because the packages are not listed in sec-support.ended9? if so, sure, please add them, first to the master branch and then cherry pick those into the stretch branch. (and probably buster too). -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ signature.asc Description: PGP signature
Re: Match ecosystems with limited support in debian-security-support
Hi, On 17/04/2021 14:44, Holger Levsen wrote: On Fri, Apr 16, 2021 at 03:47:49PM +0200, Moritz Mühlenhoff wrote: These source package sets comes to mind: - node-* That would be super-noisy and will potentially clash with a lot of local package state. I won't hurt to patch debian-security-support to support such globbing, but let's not include that into the default data sets. right. or let's at least first see how this plays out in practice before putting it into a stable release... What approach would you suggest to make users aware that such packages do not have security support, through default 'check-security-support'? e.g. exhaustive list of packages, separate output section, ...? Note: even people in the LTS team weren't aware of support limitations for node* and golang*, so my guess is that most users don't know either. But I think these should be made for after release, they are not in line with the freeze policy. yes, agreed. On the version check: bullseye's list is empty, and buster's only has 1 entry, so no rush on that front. stretch however doesn't report the 3 packages I mentioned in my initial mail. Should we fix it now? Cheers! Sylvain
Re: Match ecosystems with limited support in debian-security-support
Hi Moritz, thanks for the review! On Fri, Apr 16, 2021 at 03:47:49PM +0200, Moritz Mühlenhoff wrote: > > These source package sets comes to mind: > > - node-* > That would be super-noisy and will potentially clash with a lot of local > package state. I won't hurt to patch debian-security-support to support > such globbing, but let's not include that into the default data sets. right. or let's at least first see how this plays out in practice before putting it into a stable release... > > The current code considers higher versions as supported, but as discussed in > > the BTS there doesn't seem to be a valid use case for this, so I just > > dropped the version-based check (and adapted the test suite). > Haven't looked at the code, but agreed on dropping the version check, for > a given distro a source package should be tracked as unsupported independent > of the version. yes. > But I think these should be made for after release, they are not in line > with the freeze policy. yes, agreed. -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ Nach wieviel Einzelfällen wird ein Einzelfall zum Normalfall? (Jan Böhmermann) signature.asc Description: PGP signature
Re: Match ecosystems with limited support in debian-security-support
Am Fri, Apr 16, 2021 at 11:05:35AM +0200 schrieb Sylvain Beucler: > Hi Security Team, > > I'm proposing a couple changes in debian-security-support and I'd welcome > your review :) > > 1) Match ecosystems > https://bugs.debian.org/986333 > https://salsa.debian.org/debian/debian-security-support/-/merge_requests/10 > > Sometimes, entire ecosystems are affected by Debian support decisions. > > These source package sets comes to mind: > - node-* That would be super-noisy and will potentially clash with a lot of local package state. I won't hurt to patch debian-security-support to support such globbing, but let's not include that into the default data sets. > The current code considers higher versions as supported, but as discussed in > the BTS there doesn't seem to be a valid use case for this, so I just > dropped the version-based check (and adapted the test suite). Haven't looked at the code, but agreed on dropping the version check, for a given distro a source package should be tracked as unsupported independent of the version. But I think these should be made for after release, they are not in line with the freeze policy. Cheers, Moritz
Re: Match ecosystems with limited support in debian-security-support
Hi Sylvain, btw, you mailed the uploaders: but not the maintainer: email address... On Fri, Apr 16, 2021 at 11:05:35AM +0200, Sylvain Beucler wrote: > I'm proposing a couple changes in debian-security-support and I'd welcome > your review :) [...] > If you agree with these changes I can merge them, and backport them to the > various suites. I'm not yet convinced the changes are suitable for bullseye at it's current stage. Thus I'd appreciate input from others on this matter. -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ signature.asc Description: PGP signature