[pkg-go] Bug#1138247: Upgrade to Prometheus 3.5

Reinhard Tartler siretart at tauware.de
Thu Jun 18 23:58:59 BST 2026 

Control: retitle -1 Upgrade to Prometheus 3.5

Hi everyone,

I've been working on a version 3.5.3+ds1-1 targeting experimental. This update
would address several important issues:

**Security fixes** (urgency: high):
  - CVE-2026-42151 and CVE-2026-42154 (Closes: #1135999)
  
**Reliability improvements**:
  - Fixes flaky tests (Closes: #1135260)
  - Refreshed all Debian patches for the new upstream release

The source package is available on my Salsa fork:

  https://salsa.debian.org/siretart/prometheus/-/tree/wip/debian/3.5.4

Current status and critical needs: This package is NOT ready for upload yet. It
has successfully built and passed basic install checks, but requires critical
review and testing before it can be uploaded to experimental.

The packaging continues to ship the classic template-based UI (pre-2.34) as
the default, matching the approach from the previous stable version.

The new mantine-ui React application is present in the source tree but is
neither built nor installed by the Debian packaging. This was a deliberate
choice to keep the packaging complexity manageable and avoid introducing npm
build dependencies at this stage.

What I'd consider required before upload to experimental:

1. **Runtime testing** (CRITICAL): Verify metric scraping, alerting, and
   federation features work correctly with the new version
   
2. **Service startup**: Test that systemd service starts cleanly and doesn't
   break existing configurations
   
3. **Upgrade path**: Verify smooth upgrade from 2.53.5+ds1-5 without data loss
   or configuration breakage

What would be nice to have:

1. **Web UI modernization**: Evaluate building the mantine-ui with Debian's
   nodejs toolchain, or continue with the classic UI + optional install-ui.sh
   approach
   
2. **Integration testing**: Test with common exporters (node_exporter,
   blackbox_exporter) and Grafana
   
3. **Performance validation**: Benchmark memory usage and query performance
   compared to 2.53.5

Given the security fixes, this should eventually be uploaded to experimental
for broader testing before considering migration to unstable. If anyone has
capacity to:

  - Test the package in a staging/test environment (most critical!)
  - Help with the web UI situation
  - Review the packaging changes and patches

I'd appreciate any kind of input! Once we have confirmed basic functionality,
we can proceed with uploading to experimental. Feel free to submit MRs against
my fork or coordinate here on the bug.

Thanks to everone for maintaining this critical package!

Best regards,
-rt

More information about the Pkg-go-maintainers mailing list