[Bug 1760263] Re: RM: will become EOL upstream in December, not in testing
Steve Langasek
steve.langasek at canonical.com
Mon Apr 2 22:13:37 UTC 2018
I don't agree that it makes any difference to the actual security of the
end user, if the upstream security fixes exist but no one cares enough
about the package to include them in SRUs.
https://people.canonical.com/~ubuntu-security/cve/pkg/botan1.10.html
shows 6 unfixed CVEs against botan1.10 in Ubuntu 16.04.
All of these are of medium priority, so it's not necessarily an
indictment that there *haven't* been security updates for these. Still,
I find the rationale for dropping these packages from the release to be
rather weak.
- monotone, ovito, and botan1.10 all successfully build from source (as of the last test rebuild in Ubuntu - there are FTBFS bugs filed in Debian however?)
- monotone and ovito are user-facing applications which, while they may not have a broad userbase, don't appear to have any direct replacement in the archive.
- neither the monotone nor the ovito package have in principle done anything wrong by not switching to botan2, which only became available in sid and Ubuntu on March 17.
- the CVE history of botan1.10 suggests that having botan 1.10 vs. botan 2 in bionic is unlikely to have any impact on the security support received by the end user.
- none of these packages have yet been removed from Debian (though they have been removed from Debian testing).
If these packages had been removed from Debian, I would follow that
removal without question. But removal from testing is not by itself
enough of a reason to remove from Ubuntu, IMHO.
--
You received this bug notification because you are a member of Ubuntu
Package Archive Administrators, which is a bug assignee.
https://bugs.launchpad.net/bugs/1760263
Title:
RM: will become EOL upstream in December, not in testing
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/botan1.10/+bug/1760263/+subscriptions
More information about the ubuntu-archive
mailing list