El 13/08/24 a las 19:37, Sylvain Beucler escribió: > Hi, > > On 13/08/2024 11:54, Moritz Mühlenhoff wrote: > > Am Mon, Aug 12, 2024 at 03:10:06PM -0300 schrieb Santiago Ruano Rincón: > > > El 08/08/24 a las 12:10, Sylvain Beucler escribió: > > > > python2.7 was marked unsupported in bullseye. > > > > > > > > We recently noted that pypy[v2] (included up to bullseye) and jython > > > > (all > > > > dists) include the python2 stdlib. Unlike pypy3, neither package > > > > currently > > > > track the associated CVEs. > > > > > > > > > > > > Do we want to mark pypy and jython as EOL, or limited-support, in > > > > debian-security-support? > > > > > > For pypy and jython/bullseye, I would included them in > > > security-support-limited.deb11, with the same rationale than for > > > python2.7. Any objection? > > > > > > Security team, may we have your thoughts, especially about jython (since > > > it is included also in bookworm and trixie)? > > > > Let's add it to security-support-limited for all suites (until > > at some point it gets ported to Py3) > > Thanks, MR submitted :) > > https://salsa.debian.org/debian/debian-security-support/-/merge_requests/28
Following a discussion on IRC, it seems that for bullseye, it would make more sense to explicitly declare the python 2 ecosystem (python2.7, pypy, jython) as non supported. This is actually the current status, since python2.7 didn't receive any security update so far in bullseye. From the bullseye release notes, we can read: "Python 2 is already beyond its End Of Life, and will receive no security updates. [1]" [1] https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#noteworthy-obsolete-packages Also, the entries in the security tracker support this conclusion: [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications) I think there is a confusion about what security-support-limited.* is meant for. At least, I had forgotten to take into account a comment by Moritz about how the security team understands the packages included in security-support-limited at the time of a debian release. I hope solving https://bugs.debian.org/1053462 would help to better understand the status of such packages. If there are no objections, I will create a MR to move python2.7, pypy and jython from security-support-limited.deb11 to security-support-ended.11. Cheers, -- Santiago
signature.asc
Description: PGP signature
