[Bug 1192367] Re: No security release provided in Lucid for CVE-2013-3567
Alex Vandiver
1192367 at bugs.launchpad.net
Thu Jun 20 17:58:02 UTC 2013
On Wed, 2013-06-19 at 11:55 +0000, Marc Deslauriers wrote:
> That file is the authoritative list of packages supported by the
> security team, and contains the list the packages we deemed able to
> support for 5 years instead of the base 3 years.
Understood, and not unreasonable. However, I did not find this clear in
the support announcements, or the documentation -- and I expect I am not
alone in this expectation. Did I misunderstand the "Supported" property
listed in dpkg and the "Maintenance Period" documentation from the wiki?
What can I do to help clarify the documentation of this limited security
support? Alternately, can you point me towards where this policy is
already documented?
As a follow-up question: in Precise, the server and desktop editions
both receive support for 5 years. Does this mean that Precise will
support all packages for 5 years, or is there a similarly limited set of
packages for which support will be provided?
> The puppet version in Lucid is ancient, is no longer supported by
> upstream, and is substantially different from the puppet patches
> provided for later versions. Even if it was on the list, we wouldn't be
> able to update it since the recent security fixes have rewritten large
> parts of code.
>
> If migrating to a later LTS release isn't possible, I suggest perhaps
> using the upstream packages available from Puppet Labs.
It's scheduled for next month, but that was based on the assumption that
security patches were still being supplied for all of the installed
software. It is notably complicated by the property that configuration
files from Puppet 0.25 (from Lucid) and 2.7 (from Precise) are neither
forward- nor backward- compatible, and thus requires coordinating the
upgrade across the puppetmaster server as well as all client machines
simultaneously.
> I'll also investigate if we can get the puppet version from
> Precise into lucid-backports.
Perhaps useful to others, but we plan on simply upgrading to a later
LTS, so not necessary for our site.
- Alex
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to puppet in Ubuntu.
https://bugs.launchpad.net/bugs/1192367
Title:
No security release provided in Lucid for CVE-2013-3567
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/1192367/+subscriptions
More information about the Ubuntu-server-bugs
mailing list