Re: ceph 14.2.22 for bullseye

Thu, 05 Dec 2024 07:58:31 -0800 

Hello Daniel!

Thanks a lot for preparing this update. However, I have some
comments/questions below:

El 05/12/24 a las 08:03, Daniel Baumann escribió:
> Hi,
> 
> although ceph 14 is not affected by the RGW issue from yesterday
> (#1088993, CVE-2024-48916), I have similar to [bookworm] also prepared
> updates of the last ceph 14 point-release for bullseye:

FTR, the LTS releases don't have point-releases.

>   * Changelog:
> 
> https://salsa.debian.org/ceph-team/ceph/-/blob/debian/bullseye-security/debian/changelog
> 
>   * Packages:
> 
> https://bad9.bfh.science/ceph/14.2.22-0+deb11u1/ceph_14.2.22-0+deb11u1.dsc
> 
> Please let me know if you'd like me to change anything (here or on
> #debian-lts), or if I can proceed to upload.

If CVE-2024-48916 does not impact bullseye's ceph, what other important
issues would be fixed with this upstream release? Does it fix any of the
other four (no-dsa) CVEs, currently open in bullseye?

https://security-tracker.debian.org/tracker/source-package/ceph:
https://security-tracker.debian.org/tracker/CVE-2021-3979
https://security-tracker.debian.org/tracker/CVE-2022-0670
https://security-tracker.debian.org/tracker/CVE-2022-3650
https://security-tracker.debian.org/tracker/CVE-2023-43040

In other words, could you please give more details about what is the
rationale of packaging this upstream release?

Other than that (in the context of the LTS Team), we avoid changes such
as:

diff -Nru ceph-14.2.21/debian/control ceph-14.2.22/debian/control
--- ceph-14.2.21/debian/control 2021-05-27 07:04:21.000000000 -0300
+++ ceph-14.2.22/debian/control 2024-12-05 03:05:17.000000000 -0300
@@ -7,6 +7,7 @@
  Gaudenz Steinlin <gaud...@debian.org>,
  Bernd Zeimetz <b...@debian.org>,
  Thomas Goirand <z...@debian.org>,
+ Daniel Baumann <dan...@debian.org>,
 Build-Depends:
  cmake,
  cython3,

We aim at making the minimal possible changes. Personally, I would avoid
d/watch update too. JFTR, we accept enabling the CI in salsa, and adding
autopkgtests that can confirm we don't introduce regressions.

One final question: could you please detail how have you tested these
packages?

Thank you,

 -- Santiago

Attachment: signature.asc
Description: PGP signature

Reply via email to