[Pkg-xen-devel] irt: Xen 4.11 Security-Support ended

[Elliott Mitchell]

This is unfortunately not a surprise, the question is what to do about
this.

Real solution would be the Xen organization giving longer security
support for some versions so Debian could stick to those.  I won't hold
my breath for this, particularly in light of Xen seeing rather a lot of
support from Citrix and this likely not being in Citrix's interests.
Plus those long security support versions might manage the exact same
sort of adverse release alignment.

Big problem with the version from testing is xen-utils-4.14 depends upon
libc6 >= 2.29.  Most of the rest of the dependencies are readily
installable on stable, but updating libc6 is highly problematic.  Good
news is if the dependencies are right and the 4.14 hypervisor will work
with the 4.11 utils, then the hypervisor is where most of the security
exposure is and that covers most of the issue.

What may be more realistic for the longer run is to get more incremental
versions into backports.  The original Debian model of a major release
every 2-4 years is being eroded and I'm unsure it is possible to resist.


-- 
(\___(\___(\______          --=> 8-) EHM <=--          ______/)___/)___/)
 \BS (    |         ehem+sigmsg at m5p.com  PGP 87145445         |    )   /
  \_CS\   |  _____  -O #include <stddisclaimer.h> O-   _____  |   /  _/
8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445