[Pkg-netatalk-devel] More patches to flag as submitted upstream
Daniel Markstedt
markstedt at gmail.com
Thu May 4 02:57:28 BST 2023
> The judgement is not so much the specific CVEs as it is a network-facing
> service with a history of ongoing CVEs being maiantained effectively by
> only one person.
Fair enough. I can understand that the state of the project didn't look good
when they made that call. So when does the release team start considering
packages for inclusion again? Mid 2025? Anything special you have to do
to make them take a second look at packages that were discarded in a prior
release cycle?
> In principle it is possible to appeal, but personally I have a severe
> discomfort with "begging for mercy" towards the Debian release team
> (despite being good friends with people from that team). So if others
> (perhaps you, perhaps others more familar with Debian reading this?)
> wants to give it a try, then please do - but speaking for myself, I
> would rather let the whole World be without a stable netatalk for 3
> years than request its reinclusion.
To be frank I don't have a ton of personal investment in netatalk3 so I am
ok with leaving it as is. In fact, maybe we will get a renewed engagement
in the project when people lose the package after a distro upgrade.
I apologize preemptively to all fans of netatalk3. I know it has a lot
of utility
if you only run a network of OSX machines. :-)
BTW, I saw in your changelog commit:
> [ upstream ]
> * new release
> + fixes CVE-2022-45188 CVE-2022-45188;
Shouldn't this be:
"fixes CVE-2022-43634 CVE-2022-45188"
On Wed, May 3, 2023 at 2:43 AM Jonas Smedegaard <jonas at jones.dk> wrote:
>
> Quoting Daniel Markstedt (2023-05-02 20:35:33)
> > > Unfortunately the package will *not* make it for the upcoming release of
> > > Debian: The lack of attention to package in the fall (my maintaining it
> > > alone, with too much on my plate) made the security team discourage its
> > > inclusion, and by now it is too late to release to get it reintroduced.
> >
> > That's a bummer! But I'm not easily discouraged so don't worry, haha.
>
> Excellent.
>
> > We didn't have the fixes for the last few CVEs back in last fall anyways,
> > so it might not have made a difference.
> >
> > Is there an appeals process or some other way to get a package
> > reevaluated for inclusion in a stable release during its lifetime?
>
> The judgement is not so much the specific CVEs as it is a network-facing
> service with a history of ongoing CVEs being maiantained effectively by
> only one person.
>
> In principle it is possible to appeal, but personally I have a severe
> discomfort with "begging for mercy" towards the Debian release team
> (despite being good friends with people from that team). So if others
> (perhaps you, perhaps others more familar with Debian reading this?)
> wants to give it a try, then please do - but speaking for myself, I
> would rather let the whole World be without a stable netatalk for 3
> years than request its reinclusion.
>
>
> > And as long as the package lives on in Sid, it can be considered for any
> > future stable release, I assume?
>
> That's correct.
>
> > But anyways, having a deb for folks to pull from an unofficial repo is still
> > a big step up from asking users to build it from scratch.
>
> Certainly.
>
> > No rush with netatalk2. We have some additional fixes lined up.
> > I might cut another release in a few weeks.
>
> :-)
>
>
> - Jonas
>
> --
> * Jonas Smedegaard - idealist & Internet-arkitekt
> * Tlf.: +45 40843136 Website: http://dr.jones.dk/
> * Sponsorship: https://ko-fi.com/drjones
>
> [x] quote me freely [ ] ask before reusing [ ] keep private
More information about the pkg-netatalk-devel
mailing list