I don't agree that it makes any difference to the actual security of the end user, if the upstream security fixes exist but no one cares enough about the package to include them in SRUs.
https://people.canonical.com/~ubuntu-security/cve/pkg/botan1.10.html shows 6 unfixed CVEs against botan1.10 in Ubuntu 16.04. All of these are of medium priority, so it's not necessarily an indictment that there *haven't* been security updates for these. Still, I find the rationale for dropping these packages from the release to be rather weak. - monotone, ovito, and botan1.10 all successfully build from source (as of the last test rebuild in Ubuntu - there are FTBFS bugs filed in Debian however?) - monotone and ovito are user-facing applications which, while they may not have a broad userbase, don't appear to have any direct replacement in the archive. - neither the monotone nor the ovito package have in principle done anything wrong by not switching to botan2, which only became available in sid and Ubuntu on March 17. - the CVE history of botan1.10 suggests that having botan 1.10 vs. botan 2 in bionic is unlikely to have any impact on the security support received by the end user. - none of these packages have yet been removed from Debian (though they have been removed from Debian testing). If these packages had been removed from Debian, I would follow that removal without question. But removal from testing is not by itself enough of a reason to remove from Ubuntu, IMHO. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1760263 Title: RM: will become EOL upstream in December, not in testing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/botan1.10/+bug/1760263/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
