Plans for Shibboleth SP 2.1 debian packages

Russ Allbery rra at
Thu Nov 5 18:01:01 UTC 2009

"Scott Cantor" <cantor.2 at> writes:
> Russ Allbery wrote on 2009-11-05:

>> My guess would be two weeks.  The updated packages are difficult to
>> deploy because of the SONAME change, so they all have to go through NEW
>> processing in both Debian and in  I'm hoping to start
>> today with xmltooling, but expect it to take at least two days per
>> package, then the same for

> Am I correct that the update to 2.3 is just pulling and packaging upstream
> in full (not extracting the security-only portions)? That only applies to
> the 1.3 branch that was part of Debian itself?

Unfortunately, we're in a bad situation right now for Debian packages
because there are six separate sets of Shibboleth packages, all of which
need updates.  The whole picture looks like this:

1. New packages for Debian unstable, which are just packaging the latest
   releases from you.

2. New packages for, which depend on 1.

3. Security fixes for the version of Shibboleth 2.x that released with
   Debian lenny.  This is where the security-only portions are needed.
   I don't have a good read on how serious this vulnerability is.  It's
   going to be difficult for the security team to do the update through a
   regular security advisory due to the SONAME change and the multiple
   packages involved, so I'm sure they'd prefer to do this through the
   stable update process, but that means the new packages wouldn't be
   released until the next stable update.  I don't know how acceptable
   that is from a security standpoint.

4. Security fixes for the Shibboleth 1.x that released with lenny.  This
   too will want security-only patches.

5. Backport of the Shibboleth 1.x packages in lenny to oldstable (etch).

6. Security fixes for the Shibboleth 1.x that released with etch.

4-6 can be worked on independently of 1-3.  In order of priority, 2, 4, 1,
3, 5, 6 is roughly the sequence, but since 1 has to happen before 2,
that's my first step.

squeeze and future releases will be simpler due to no Shibboleth 1.x.

Russ Allbery (rra at               <>

More information about the Pkg-shibboleth-devel mailing list