Hi Ola, On Sat, Apr 13, 2024 at 12:49:49AM +0200, Ola Lundqvist wrote: > Hi fellow LTS contributors > > Today I started on bind9 and realized one thing. In bullseye the > security update is to release a new upstream version (released as > 1:9.16.48-1) instead of patching the old version > (1:9.16.44-1~deb11u1). For some reason the version used is -1 instead > of ~deb11u1. > I am not entirely sure why -1 was used, but I can tell you that ~deb11u1 was not used because the upload went through proposed-updates. It appears to also have gone to the security queue, but it isn't clear to me why that happened. In any event, an upload to proposed-updates would typically need a version like +bullseye1. However, stable already has a higher version (1:9.18.24-1), which guarantees that on upgrade from bullseye to bookwork the new version in bookworm will take priority.
Also, looking at security and proposed-updates for stable shows that the versions there were also uploaded with -1. Either way, it doesn't make a difference and it isn't something that we should worry about. > Since this is not the normal practice I'd like to check so we have a > common agreement that this is the best also for LTS/buster. > > In this case I think it is the safest method. Trying to pick the > individual patches can be risky. Assuming that you are suggesting that we upgrade buster to the bullseye version (9.16.48), then I disagree entirely. We cannot move bind9 to the bullseye version. > Or do we know any specific reason why we should not go this path? > In the case of buster we can't do what what was done for stable and oldstable. If you look at the versions there, here is what happened: stable: 9.18.19 -> 9.18.24 oldstable: 9.16.44 -> 9.16.48 The version in buster is 9.11.5.P4. We cannot upgrade to 9.16.48 without risking breaking changes for users. I haven't looked, but I assume that you are asking this question because there is not a new 9.11.x release that deals with the current vulnerabilities. If it happens to be the case that there is a new 9.11.x release that addresses the vulnerabilities, then that is potentially a path we could take. If there is not a 9.11.x version that we could migrate to, then we will need to carefully backport the patches and ensure that everything is rigorously tested. Regards, -Roberto -- Roberto C. Sánchez
