Hello Credativ Team,
It seems that some months have passed since there was any activity on
the Xen package in Debian LTS jessie. Proceeding under the assumption
that Credativ was no longer maintaining Xen in Debian LTS jessie, a few
days ago I started looking into the existing open vulnerabilities and
initiated a discussion on the debian-lts@lists.debian.org mailing list
to seek some thoughts on how we might handle the package going forward.
It was pointed out to me that I should contact you regarding this
matter.
Is it then Credativ's intent to continue maintenance of Xen 4.4? If so,
could you provide some information on when we might expect the next
update? If not, I would like to request that you begin the process of
delcaring Xen in Debian LTS jessie as end-of-life [*].
Regards,
-Roberto
[*] In the mailing list discussion one of the Debian Security team
members mentioned that even Xen 4.8 in Debian stretch had been
declared end-of-life and would not longer receive security support
in Debian. Given the complexity of the Xen package and the amount
of effort to continue to address new vulnerabilities, it seems that
delcaring end-of-life is the only sensible approach if Credativ will
no longer maintain Xen in Debian LTS jessie.
--
Roberto C. Sánchez
