[Pkg-matrix-maintainers] Bug#982991: matrix-synapse: not suitable for inclusion into bullseye

[Andrej Shadura]

Package: src:matrix-synapse
Severity: normal
Tags: upstream
X-Debbugs-Cc: Dan Callahan <danc at element.io>, team at security.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

As has been discussed with the upstream and the security team, it’s best
to not include Synapse in stable releases just yet. It was originally
included in Buster, but as freeze happened just a few months before
the release of 1.0, Buster ended up with a version missing important
code updates and it had to be removed when backporting security fixes
was proven to be infeasible (see #959723).

Dan Callahan of Element writes:

> Unfortunately, I expect an even greater rate of code churn and security
> fixes throughout 2021, and my team does not currently have the capacity
> to assist with backporting fixes, nor to maintain a long-lived stable
> branch. I've mentioned my concerns to the package maintainer, but I'm
> concerned that he may be overly optimistic and we'll find ourselves
> repeating the pain of removing matrix-synapse from a Debian release.

> Shipping software with known vulnerabilities in stable harms users
> and places their servers at risk. Pulling a package from the archive
> inconveniences users, creates work for the release managers, and reflects
> poorly on the packaged software.

The security team also agreed and pointed out #959723 was something that
shouldn’t be repeated.

This bug will be raised in severity to "serious" when Bullseye freezes
completely, which will likely to happen in April. Before that, keeping
it at a lower severity should enable backports to Buster.

- -- 
Cheers,
  Andrej

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCYC2DLQAKCRDoRGtKyMdy
YcE0AP40cBSFlfN5Jygc1uRWvLpVzMWMtcTZ1s5n3XoFEkn+UAD/fwmeoBZtuKrU
VK7FZkaSaX3nL7XvVWEhWrGAG+5j9wE=
=jPGI
-----END PGP SIGNATURE-----