[Pkg-matrix-maintainers] Bug#1036806: matrix-synapse: not suitable for inclusion in bookworm
Salvatore Bonaccorso
carnil at debian.org
Sun May 28 13:17:36 BST 2023
Hi
For those following the bugreport:
On Fri, May 26, 2023 at 09:19:59PM +0200, Salvatore Bonaccorso wrote:
> Hi Andrej,
>
> On Fri, May 26, 2023 at 08:51:13PM +0200, Andrej Shadura wrote:
> > Hi,
> >
> > On Fri, 26 May 2023, at 19:28, Salvatore Bonaccorso wrote:
> > > I believe matrix-synapse is still in the same status as for #982991
> > > back for the bullseye release, and not suitable to be included in
> > > bookworm as stable release.
> >
> > In fact, I believe the situation has changed. Synapse it much more
> > stable, as is the Matrix protocol itself, and there weren’t that
> > many security issues.
>
> For reference for the discussion: So there were at least the following
> CVEs I think since the removal (maybe more, this is just rought
> checking based on the CVE years):
>
> https://security-tracker.debian.org/tracker/CVE-2023-32323
> https://security-tracker.debian.org/tracker/CVE-2022-41952
> https://security-tracker.debian.org/tracker/CVE-2022-39374
> https://security-tracker.debian.org/tracker/CVE-2022-39335
> https://security-tracker.debian.org/tracker/CVE-2022-31152
> https://security-tracker.debian.org/tracker/CVE-2022-31052
>
> > > As such let it have removed from bookworm if you agree. If this is not
> > > correct, we need to have assurance security fixes arising during the
> > > bookworm cycle can be addressed.
> >
> > I believe I will be able to backport fixes — or ask for removal
> > later if and when the need arises.
>
> For the above CVEs, would have the fixes be isolated and backportable
> enough to guarantee that? If so and you are confident you will be able
> to backport the fixes, then please go ahead with closing this bug.
>
> Personally I just would like to avoid we release bookworm with it, and
> after while we have already to go trought the removal request from
> stable.
Andrej checking on the above. If it's deemed feasible we will give it
a go.
Ideally though we should remove id now before the release if it's
unfeasable to maintain, because otheweise there are higher
expectations if it's in the initial release.
A removal needs to be requested directly as respective bug to the
release team, as autoremovals will likely not trigger right now for
this case.
Andrej, do yu have already some information?
Regards,
Salvatore
More information about the Pkg-matrix-maintainers
mailing list