Debian Bug report logs - #814557
debian-security-support: Drop support for libmatroska and libebml in wheezy?

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: drop support for libmatroska and libebml in squeeze (and wheezy?)

Date: Fri, 12 Feb 2016 18:20:24 -0500

Package: debian-security-support
Version: 2016.01.07~deb6u1
Severity: wishlist

I am not sure exactly how to maintain this package, so I file this as
a bug for now, as I was informed we may or may not need multiple
uploads (to all suites!) to update this... (See also #762594.)

Basically, VLC and other similar packages are EOL in squeeze, but
libebml and matroska still show up on our radars. As discussed here, I
believe those two packages should be marked as unsupported here:

https://lists.debian.org/debian-lts/2016/02/msg00018.html

I'll do this as soon as I figure out how to do this myself, otherwise
feel free to bundle this in the next uploads.

-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (500, 'oldstable'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Message #12 received at 814557@bugs.debian.org (full text, mbox, reply):

From: Santiago Ruano Rincón <santiagorr@riseup.net>

To: debian-lts@lists.debian.org

Cc: 814557@bugs.debian.org

Subject: Re: Unsupported packages for Wheezy LTS

Date: Thu, 12 May 2016 15:16:15 +0200

[Message part 1 (text/plain, inline)]

Hi,

Given the recent bug triaging, security-support-ended.deb7 needs more
updating. I'm taking Mortiz's mail as reference, and I hope I are not
missing other info:

El 11/11/15 a las 21:59, Sebastian Ramacher escribió:
> Hi
> 
> On 2015-11-04 17:44:36, Raphael Hertzog wrote:
> > [ Many people are on copy, please trim the list as appropriate when you reply ]
> > 
> > On Wed, 19 Aug 2015, Moritz Muehlenhoff wrote:
> > > These need to be discussed, since they will be a significant
> > > time drain (e.g. are they in the sponsors's interests?). They
> > > are supportable, but it will take a lot of work and sometimes
> > > special domain knowledge:
> > > 
> > > icedove
> > > iceweasel

Any decision yet?
I could take a look to iceweasel/firefox next week, although I'm not
familiar enough with it.

> > > qemu
> > > qemu-kvm
> > > xen
xen will be supported.
> > > libvirt

qemu and qemu-kvm were triaged as unsupported for CVE-2016-3712, but I
think Guido is studying how to support virtualisation related packages,
and maybe we should wait for his evaluation.


> > > ffmpeg -> libav
waiting for input.

> > > vlc
> > > rails -> several split packages (only the 3.2 packages are supported in wheezy)
...
> 
> The versions of libav and vlc in wheezy are all EOLed upstream. vlc is also
> behind some upstream releases in the 2.0.x series. If anyone intends to keep vlc
> alive for wheezy LTS, I'd recommend to upgrade to latest release there first.

For CVE-2016-3941, vlc has been triaged as unsupported in wheezy, so I
updated security-support-ended.deb7 accordingly in git.

What about rails?

Also, Antoine has filled a bug [1] regarding libmatroska and libebml,
but DLA-420-1 and DLA-438-1 addressed those packages. Antoine, why they
should be tagged as not-supported?

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814557

Cheers,

Santiago

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 814557@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: debian-lts@lists.debian.org

Cc: 814557@bugs.debian.org

Subject: Re: Unsupported packages for Wheezy LTS

Date: Thu, 12 May 2016 16:05:12 +0200

[Message part 1 (text/plain, inline)]

Am 12.05.2016 um 15:16 schrieb Santiago Ruano Rincón:
[...]
>>>> qemu
>>>> qemu-kvm
>>>> xen
> xen will be supported.
>>>> libvirt
> 
> qemu and qemu-kvm were triaged as unsupported for CVE-2016-3712, but I
> think Guido is studying how to support virtualisation related packages,
> and maybe we should wait for his evaluation.


>>>> ffmpeg -> libav
> waiting for input.
> 
>>>> vlc
>>>> rails -> several split packages (only the 3.2 packages are supported in wheezy)
> ...
>>
>> The versions of libav and vlc in wheezy are all EOLed upstream. vlc is also
>> behind some upstream releases in the 2.0.x series. If anyone intends to keep vlc
>> alive for wheezy LTS, I'd recommend to upgrade to latest release there first.
> 
> For CVE-2016-3941, vlc has been triaged as unsupported in wheezy, so I
> updated security-support-ended.deb7 accordingly in git.

[...]

Hello,

I saw those commits too yesterday. I would suggest that we discuss EOLed
packages on debian-lts before we mark CVEs as unsupported in Wheezy LTS.
We should defer the decision about quemu until Guido has concluded his
findings. The same goes for vlc and Brian May's investigation into the
maintainability of libav and related apps. In any case we should always
update debian-security-support as well when we decide to end support for
packages.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #22 received at 814557@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@orangeseeds.org>

To: Santiago Ruano Rincón <santiagorr@riseup.net>, debian-lts@lists.debian.org

Cc: 814557@bugs.debian.org

Subject: Re: Unsupported packages for Wheezy LTS

Date: Thu, 12 May 2016 10:03:39 -0400

On 2016-05-12 09:16:15, Santiago Ruano Rincón wrote:
> Also, Antoine has filled a bug [1] regarding libmatroska and libebml,
> but DLA-420-1 and DLA-438-1 addressed those packages. Antoine, why they
> should be tagged as not-supported?

Uh! I didn't see those go through, I'm surprised... My rationale was
exposed here:

https://lists.debian.org/debian-lts/2016/02/msg00014.html

Basically, ffmpeg was marked as unsupported, and matroska/libebml were
seen as related as they are a founding block, like ffmpeg/libav, for
media applications: if libav or ffmpeg is unsupported, basically
everything else falls apart and matroska support is somewhat less
relevant.

So I would say that matroska/libebml is dependent on libav support. But
I'm no multimedia team expert, others may have more competent advice.

A.
-- 
From the age of uniformity, from the age of solitude, from the age of
Big Brother, from the age of doublethink - greetings!
                        - Winston Smith, 1984

Message #27 received at 814557-done@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Antoine Beaupré <anarcat@orangeseeds.org>

Cc: Santiago Ruano Rincón <santiagorr@riseup.net>, debian-lts@lists.debian.org, 814557-done@bugs.debian.org

Subject: Re: Unsupported packages for Wheezy LTS

Date: Fri, 13 May 2016 09:47:15 +0200

On Thu, 12 May 2016, Antoine Beaupré wrote:
> On 2016-05-12 09:16:15, Santiago Ruano Rincón wrote:
> > Also, Antoine has filled a bug [1] regarding libmatroska and libebml,
> > but DLA-420-1 and DLA-438-1 addressed those packages. Antoine, why they
> > should be tagged as not-supported?
> 
> Uh! I didn't see those go through, I'm surprised... My rationale was
> exposed here:
> 
> https://lists.debian.org/debian-lts/2016/02/msg00014.html

That rationale applied to squeeze, not to wheezy. Let's close
#814557 for now.

> So I would say that matroska/libebml is dependent on libav support. But
> I'm no multimedia team expert, others may have more competent advice.

It should not be too hard to look up packages depending on libmatroska and
see what they depend on... they are also not packages with a bad security
track record so we have no reason to drop them from support in general.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #32 received at 814557@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Markus Koschany <apo@debian.org>

Cc: debian-lts@lists.debian.org, 814557@bugs.debian.org

Subject: Re: Unsupported packages for Wheezy LTS

Date: Fri, 13 May 2016 09:51:23 +0200

Hello,

On Thu, 12 May 2016, Markus Koschany wrote:
> I saw those commits too yesterday. I would suggest that we discuss EOLed
> packages on debian-lts before we mark CVEs as unsupported in Wheezy LTS.

Definitely, we should not mark CVE as "end-of-life" before we agreed to
mark it as such in debian-security-support...

That said for vlc I think no customers expressed any need for that
package.

So I think we can stick to this decision and actually put it into
debian-security-support, even if we are going to support libav...
because vlc has many security issues of its own and contrary to libav
it's not a reverse dependency for many packages AFAIK.

> findings. The same goes for vlc and Brian May's investigation into the
> maintainability of libav and related apps. In any case we should always
> update debian-security-support as well when we decide to end support for
> packages.

And announce those changes at the same time ideally.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Send a report that this bug log contains spam.