[Pkg-matrix-maintainers] Bug#1036806: matrix-synapse: not suitable for inclusion in bookworm
Salvatore Bonaccorso
carnil at debian.org
Fri May 26 20:19:59 BST 2023
Hi Andrej,
On Fri, May 26, 2023 at 08:51:13PM +0200, Andrej Shadura wrote:
> Hi,
>
> On Fri, 26 May 2023, at 19:28, Salvatore Bonaccorso wrote:
> > I believe matrix-synapse is still in the same status as for #982991
> > back for the bullseye release, and not suitable to be included in
> > bookworm as stable release.
>
> In fact, I believe the situation has changed. Synapse it much more
> stable, as is the Matrix protocol itself, and there weren’t that
> many security issues.
For reference for the discussion: So there were at least the following
CVEs I think since the removal (maybe more, this is just rought
checking based on the CVE years):
https://security-tracker.debian.org/tracker/CVE-2023-32323
https://security-tracker.debian.org/tracker/CVE-2022-41952
https://security-tracker.debian.org/tracker/CVE-2022-39374
https://security-tracker.debian.org/tracker/CVE-2022-39335
https://security-tracker.debian.org/tracker/CVE-2022-31152
https://security-tracker.debian.org/tracker/CVE-2022-31052
> > As such let it have removed from bookworm if you agree. If this is not
> > correct, we need to have assurance security fixes arising during the
> > bookworm cycle can be addressed.
>
> I believe I will be able to backport fixes — or ask for removal
> later if and when the need arises.
For the above CVEs, would have the fixes be isolated and backportable
enough to guarantee that? If so and you are confident you will be able
to backport the fixes, then please go ahead with closing this bug.
Personally I just would like to avoid we release bookworm with it, and
after while we have already to go trought the removal request from
stable.
Regards,
Salvatore
More information about the Pkg-matrix-maintainers
mailing list