Allow asterisk to build on bookworm without bookwork-backports (systemd-dev dependency)

Jonas Smedegaard jonas at jones.dk
Thu Dec 12 09:41:52 GMT 2024 

Quoting Martin Rampersad via Pkg-voip-maintainers (2024-12-12 02:28:29)
> Please forgive my ignorance, but you stated:
> > Here is the developer's view on the Debian packaging of Asterisk:
> > https://tracker.debian.org/pkg/asterisk
> > 
> > At that page, near the middle, is a listing of 3 CVEs open that
> > affects bookworm.
> 
> I visited the tracker, which states "There are 3 open security issues
> in bookworm". So I click the link. The word bookworm does not appear
> on the linked page. Maybe that was somehow the wrong link to click. I
> go back and click each individual CVE link. Each of those links all
> show asterisk as fixed for all versions (again no bookworm), and the
> linked bug is archived. It really looks like nothing is wrong there so
> I'm confused why the CVEs remain on the tracker page.
> 
> There is no branch called bookworm anywhere for asterisk that I have
> found, but I understand from another post you made that we can just
> create one. So if I just make a branch called debian/bookworm, then it
> will appear in the CVE tracker list? What commit do I base the
> debian/bookworm branch on? debian/latest? Something else?

Bookworm is the current stable Debian release.

Perhaps the tracker page assumes that asterisk is part of the stable
release (perhaps because it is part of an older release), and therefore
concludes that CVEs not exlicitly closed for that release are still.

That smells like a bug in the tracker: Please file a bugreport against
the pseudo-package tracker.debian.org as hinted at the bottom of the
tracker web page.


> I still don't know how to go from wanting to help to typing git commit
> on my backported patch and making progress.

This team maintains the asterisk package (and other packages too)
officially for Debian.  Confusingly, the tracker page includes older
no-longer-official branches maintained by the commercial LTS team.

I had forgotten that oldstable stopped being supported in Debian since
August 31st.

If the asterisk package is healthy across the board, then indeed there
is nothing to do, and no way of showing through action our ability to
handle security issues. Then the only approach possible is to post
commitment statements at the bugreport, asking if the security team is
willing to trust those, or if they want to ban asterisk for several
years purely to create a playing field for us to demonstrate action
(which to me seems excessive).

Is asterisk really healthy across the board?  Or are some bugs missing
in the bugtracker, or some bugs not filed at adequate severity?

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

More information about the Pkg-voip-maintainers mailing list