[Pkg-matrix-maintainers] Bug#1036806: matrix-synapse: not suitable for inclusion in bookworm

Salvatore Bonaccorso carnil at debian.org
Tue May 30 15:24:07 BST 2023


Hi Andrej,

On Sun, May 28, 2023 at 02:17:36PM +0200, Salvatore Bonaccorso wrote:
> Hi
> 
> For those following the bugreport:
> 
> On Fri, May 26, 2023 at 09:19:59PM +0200, Salvatore Bonaccorso wrote:
> > Hi Andrej,
> > 
> > On Fri, May 26, 2023 at 08:51:13PM +0200, Andrej Shadura wrote:
> > > Hi,
> > > 
> > > On Fri, 26 May 2023, at 19:28, Salvatore Bonaccorso wrote:
> > > > I believe matrix-synapse is still in the same status as for #982991
> > > > back for the bullseye release, and not suitable to be included in
> > > > bookworm as stable release.
> > > 
> > > In fact, I believe the situation has changed. Synapse it much more
> > > stable, as is the Matrix protocol itself, and there weren’t that
> > > many security issues.
> > 
> > For reference for the discussion: So there were at least the following
> > CVEs I think since the removal (maybe more, this is just rought
> > checking based on the CVE years):
> > 
> > https://security-tracker.debian.org/tracker/CVE-2023-32323
> > https://security-tracker.debian.org/tracker/CVE-2022-41952
> > https://security-tracker.debian.org/tracker/CVE-2022-39374
> > https://security-tracker.debian.org/tracker/CVE-2022-39335
> > https://security-tracker.debian.org/tracker/CVE-2022-31152
> > https://security-tracker.debian.org/tracker/CVE-2022-31052
> > 
> > > > As such let it have removed from bookworm if you agree. If this is not
> > > > correct, we need to have assurance security fixes arising during the
> > > > bookworm cycle can be addressed.
> > > 
> > > I believe I will be able to backport fixes — or ask for removal
> > > later if and when the need arises.
> > 
> > For the above CVEs, would have the fixes be isolated and backportable
> > enough to guarantee that? If so and you are confident you will be able
> > to backport the fixes, then please go ahead with closing this bug.
> > 
> > Personally I just would like to avoid we release bookworm with it, and
> > after while we have already to go trought the removal request from
> > stable.
> 
> Andrej checking on the above. If it's deemed feasible we will give it
> a go.
> 
> Ideally though we should remove id now before the release if it's
> unfeasable to maintain, because otheweise there are higher
> expectations if it's in the initial release.
> 
> A removal needs to be requested directly as respective bug to the
> release team, as autoremovals will likely not trigger right now for
> this case.
> 
> Andrej, do yu have already some information?

Did you got already a reply from upstream?

As discussed face to face, if we start shipping with it in bookworm
but relatively early would need to remove it, the impact is higher,
because people already starting to rely on it.

Thus beeing unsure, I would err on the safe sid. Clarify it early in
the trixie release cycle with upstream and potentially target trixie
for inclusion.

The removal from testing would need to happen before the quiet phase
starts in some days.

What do you think?

Regards,
Salvatore



More information about the Pkg-matrix-maintainers mailing list