Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
As discussed with Moritz Mühlenhoff of the security team I would like to explore the possibility of adding the librtls package to a bullseye point release, to be able to update rpki-client to a newer release via bullseye-security. Backgroud from my precedent message to the security team: https://rpki.exposed/ lists a long number of vulnerabilities affecting software in Debian stable: fort-validator, cfrpki, and rpki-client. (Not routinator, because it is an unpackagable mess of Rust.) (To make a long story short, RPKI is a way to digitally sign BGP routes and all network operators and IXPs are progressively deploying at least a couple of servers each to run the validators.) The RPKI ecosystem is very young, so this was hardly unexpected. While I did significant work trying to establish Debian as the go-to platform for deploying RPKI validators, at this point nobody will use the validators currently in Debian stable. It is not really practical to extract and backport all these patches, so I would like to know from the release managers if they would strongly consider an upload to stable of the current releases of these packages or if I should request instead that they are all removed from stable. fort-validator and cfrpki are currently in proposed-updates, but at the time I did not notice that newer versions of rpki-client require libretls, which did not get in testing in time for the bullseye release. -- ciao, Marco
signature.asc
Description: PGP signature