On Thu 2021-06-03 01:37:25 +0300, Adrian Bunk wrote:
> Overall it feels like a package with high CVE risk and 0 users
> in bullseye.
I agree with Jason that some people may use non-standard, older kernels
with bullseye, so there is some value in continuing to provide
wireguard-dkms in bullseye to help those folks. (i'm thinking about
people running older hardware that has had support dropped in newer
kernels, for example). It is not going to be exactly 0 users, but i
expect the number to be small. At the same time, a package with a small
number of users presents a smaller attack surface if a CVE does come up.
The stock kernels already avoid people accidentally pulling in
wireguard-dkms by default if they just "apt install wireguard".
At some point, though, people who choose to run their own (non-debian)
kernel will need to effectively take responsibility for their kernel
modules as well, so i do not expect Debian to continue shipping
wireguard-dkms indefinitely. I do not expect to ship it in bookworm
(bullseye+1), for example.
--dkg
