The Debian bug is extremely lengthy to read through. It's worthwhile to read the first message. Message 215 from April shows some statistics about CVEs from 2023-2024. Then maybe a quick look over messages after that is sufficient to get caught up without having to handle the entire discussion.
As long as nearly all the packaging work is being done by Jonas, it looks unlikely for Jonas to be comfortable letting the package migrate into Testing, which is a prerequisite for it to be included in either Debian Backports or a future Debian stable release. From Ubuntu's perspective, asterisk still has so many CVEs and Security Advisories, that it's my opinion that it is unsuitable for inclusion in Ubuntu as long as no one is doing Ubuntu security updates for asterisk. ** Description changed: Consider removing asterisk from Ubuntu release but leave in -proposed. This would basically match what has been done in Debian 12 and 13 at the request of the Debian Security Team. See the attached Debian bug. It doesn't feel like Ubuntu Security is managing asterisk better than that. https://tracker.debian.org/pkg/asterisk If Archive Admins agree, they could keep this bug open as the block- proposed bug. Analysis ======== I don't think this _requires_ any other removals. In Debian, asterisk-espeak is not available in testing either. $ reverse-depends src:asterisk Reverse-Recommends ================== * asterisk-prompt-fr-armelle (for asterisk) $ reverse-depends -b src:asterisk Reverse-Testsuite-Triggers ========================== * asterisk-espeak (for asterisk) * asterisk-espeak (for asterisk-config) * dahdi-linux (for asterisk) * dahdi-linux (for asterisk-dahdi) + + There currently is not a Snap for Asterisk: + https://snapcraft.io/store?q=asterisk ** Description changed: Consider removing asterisk from Ubuntu release but leave in -proposed. This would basically match what has been done in Debian 12 and 13 at the request of the Debian Security Team. See the attached Debian bug. It doesn't feel like Ubuntu Security is managing asterisk better than that. https://tracker.debian.org/pkg/asterisk If Archive Admins agree, they could keep this bug open as the block- - proposed bug. + proposed bug, after adding the block-proposed tag. Analysis ======== I don't think this _requires_ any other removals. In Debian, asterisk-espeak is not available in testing either. $ reverse-depends src:asterisk Reverse-Recommends ================== * asterisk-prompt-fr-armelle (for asterisk) $ reverse-depends -b src:asterisk Reverse-Testsuite-Triggers ========================== * asterisk-espeak (for asterisk) * asterisk-espeak (for asterisk-config) * dahdi-linux (for asterisk) * dahdi-linux (for asterisk-dahdi) There currently is not a Snap for Asterisk: https://snapcraft.io/store?q=asterisk ** Tags added: update-excuse -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2133938 Title: Remove asterisk from Ubuntu release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/2133938/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
