Markus Koschany wrote: > Am Mittwoch, den 20.01.2021, 04:32 -0500 schrieb Robert Edmonds: > [...] > > I would be OK with promoting an unbound package based on 1.9.6-2 (the > > last 1.9.x package) to buster, if that's OK with the release team. > > Hello Robert, > > As you know we have had a request from users to "resurrect" unbound in Debian > 9 > "Stretch". We have discussed several options internally and we came to the > conclusion that we can just backport the current version of unbound in Buster > and apply the patch to fix CVE-2020-28935. In order to avoid rebuilds of > reverse-dependencies we have decided to introduce a new source package called > unbound1.9 which takes over the binary packages unbound, unbound-anchor, > unbound-host and libunbound8. This allows us to avoid rebuilding reverse- > dependencies of libunbound2 in Stretch which is not necessary because they are > not affected by the reported security vulnerabilities. You also don't have to > feel responsible for those changes because we track them in a different source > package. > > So far the users in Stretch can't reproduce the reported instability bugs in > Buster and everything looks fine. Therefore we intend to maintain the 1.9.0 > version and apply patches on top of it, if necessary. > > In order to fix those bugs in Debian 10 "Buster" we could upgrade to the > latest > version in the 1.9.x series. The bug reporters claimed that version 1.9.2 or > 1.9.3 would fix it for them. > > I have prepared a new release for Buster and uploaded it to > > https://people.debian.org/~apo/buster/unbound/ > > In my opinion we should let those bug reporters test the update. If this is > successful we should try to get this into the next buster point update. > > What are your thoughts? > > Regards, > > Markus
Hi, Markus: I'm OK with both of these plans. For the proposed 1.9.6 buster update, can you send me git commits based against https://salsa.debian.org/dns-team/unbound/-/tree/branches/1.9.0-2_deb10 ? Thanks! -- Robert Edmonds edmo...@debian.org
