Bug#1031046: Only include in Bookworm with commitment to stable updates
Jonas Smedegaard
jonas at jones.dk
Fri Dec 13 22:07:15 GMT 2024
Quoting Martin Rampersad via Pkg-voip-maintainers (2024-12-13 22:30:43)
> Regarding how to resolve this bug, see #1030669 which has the same demand
> and was closed by a promise from Marco d'Itri. If you don't look him up or
> already know who he is, he says "I manage about 150 instances of Varnish,
> so let's just assume that I have the experience needed and some motivation."
> Moritz replies "Noted, thanks".
>
> It's only when you research the individual that you find he has been a
> Debian Developer for 27 years, so perhaps Marco's casual attitude
> is an inside joke.
>
> If you follow the work done, you will see that the result is 3 commits
> over the last 18 months (varnish:debian/7.1.1-1.1) and two CVEs marked as
> "ignored, too minor" in the varnish package tracker.
Thanks for hte research.
Yes, I know Marco. I think I haven't met him in person, but not sure -
but he is has a strongly opinionated and confident voice on mailing
lists.
The concern raised by the security team is real: Marco may easily be
able to manage the level of security bugs expected for the 150 packages
that he maintains, and I will also argue generally that I am relatively
fine handling the 700+ packages I am involved in. But among those,
asterisk is one of very few packages that stick out as a) having a large
amount of CVEs, and b) more likely than not deviating upstream so much
over the course of its lifetime in Debian, that patches cherry-picked
upstream do not apply.
In short, I genuinely cannot handle security issues on my own.
Other similarly CVE-ridden packages, like Ghostscript, have been a
deep dependency, so that even if others in Debian did not care much
for the package itself, when I gave up on fixing CVEs others chimed in
and helped out anyway, but asterisk is a fringe package so it is easier
for those not caring about the functionality of the package to back out
and let it rot.
Asterisk needs more maintainers, or it will not survive in Debian.
> I accept that I'm not yet qualified to make this promise for asterisk. I'll
> level up my Debian participation and try again later.
Why later? Whay not now?
You are aware that there might not be a later, right?
You are aware, that if you reappear close to the next freeze, it may
again be too close to a deadline?
Regardless, thanks for your interest in asterisk - however it
materialises,
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20241213/a9416f6b/attachment.sig>
More information about the Pkg-voip-maintainers
mailing list