Am Tue, Jun 03, 2025 at 09:44:42AM +0200 schrieb Sebastian Ramacher:
> Hi
>
> On 2025-06-02 00:25:41 +0200, Lorenzo wrote:
> > On Thu, 22 May 2025 20:46:34 +0200 Sebastian Ramacher
> > <[email protected]> wrote:
> > > Control: severity -1 serious
> >
> > Hi Sebastian,
> >
> > I'm a bit surprised about the timing of the removal, is this the final
> > call about the severity from Release Team?
>
> Bug severity and removal are two different topics. But unless the
> security team re-evaluated their position on support for isc-dhcp, this
> is a bug of serious severity. Security team, has your viewpoint on
> isc-dhcp changed?
We marked it as unsupported a long time ago, but whether this means
that it not should not be part of trixie is an orthogonal question.
We have other packages in trixie and earlier releases which are not
covered by security support (e.g. qtwebkit/qtwebengine).
Anyone using it can make their own call what the lack of security
support means for their deployment, there's certainly some use cases
where a lack of security updates is still perfectly fine.
Any for anyone who this isn't, there's the possibility to move from
ISC DHCP to Kea within bookworm given it ships both.
>From my PoV this could also be handled by
- tag #1106121 trixie-ignore
- maybe add a specific note to the release notes to make the lack
of updates more visible than just src:debian-security-support
- update the package to just build the DHCP relay shortly after
trixie is released (to avoid having the same discussion two months
before the forky release). And remove it for good when a replacement
has emerged for the DHCP relay.
Cheers,
Moritz
