On Fri, Aug 25, 2023 at 11:02:35PM -0400, Chris Frey wrote: > On Fri, Aug 25, 2023 at 07:02:07AM -0400, Roberto C. Sánchez wrote: > > To claim that "because this bug affects me, it *must* be > > fixed, even when it does not meet the criteria for a normal security bug > > and when the maintainer thinks there is a risk of breaking working > > configurations for other users" is somewhat inconsiderate of others and > > shows a disregard for the rather robust process that we try to utilize > > to ensure that we properly balance the needs of everyone involved. > > I don't think that's the claim, to be fair. > > It's more: > > Release gdbm version Status > ----------- ------------- -------------- > Buster 1.18 no pre-read feature > Bullseye 1.19 pre-read added, no way to disable it > Bookworm 1.20 reverted back to default behaviour, > added GBM_PREREAD to enable it > > It's a regression in upstream, which upstream agreed with, and upstream > fixed it.
That said, it changes nothing of the things that I pointed out. Whether it is a new bug, regression, or whatever originating from upstream, the point is that it works in a particular way in the version that shipped with the release of bullseye. The concern of the maintainer is that applying upstream's change risks breaking other working configurations. > The question is how to get the benefits to Bullseye users. > It seems like if there were a way to get the new upstream release into bullseye that it would address the issue. However, while applying the patch to 1.19 has risks, updating to 1.20 almost certainly has other risks. Even if it can be proven to be a risk-free change, there are very few packages which fall into the category of "circumstances around the package are such that new upstream releases are allowed into the stable releases". Given the reverse dependencies of this package, that seems like an unlikely occurrence here. > > On Fri, Aug 25, 2023 at 01:41:36PM +0200, Christopher Huhn wrote: > > A backport of the bookworm package would be my way to go, I guess. > > This is probably the easiest path, if someone can upload it to > debian backports for Marc. > However, do keep in mind that the -backports repo is not supported by the LTS team. That is to say, once bullseye passes to LTS, there will be no further updates to packages in bullseye-backports. In the event that there is a concern that this package might be affected by a security vulnerability that needs to be patched during the LTS lifespan, it is best to plan for an upgrade to bookworm at the earliest convenience. Regards, -Roberto -- Roberto C. Sánchez
