Hi Santiago, thank you for your feedback.
On 12/5/24 16:57, Santiago Ruano Rincón wrote: >> updates of the last ceph 14 point-release for bullseye: > > FTR, the LTS releases don't have point-releases. yes, I was refering to the last point-release of ceph 14.x. > If CVE-2024-48916 does not impact bullseye's ceph, what other important > issues would be fixed with this upstream release? Upstream provides only git-log style changelogs for ceph point releases, but I can walk through them and pick up all the things that justify it, this will take a couple of days to do so. > Does it fix any of the > other four (no-dsa) CVEs, currently open in bullseye? I guess it fixes some of them at least, I can check. > In other words, could you please give more details about what is the > rationale of packaging this upstream release? I didn't know it's required as I though given how ceph works that going from one ceph point release to another is by itself already ok. but sure, I'm happy to do so :) apart from specifics (see above), in general I'd like to see Debian shipping ceph point-releases properly, like it's possible for other packages (e.g. postgresql). if we don't do that in Debian, that changes nothing for the users - they will just (keep) not using ceph from Debian and use third-party ceph repositories with lesser (quality/architecture-supported) packages. > Other than that (in the context of the LTS Team), we avoid changes such > as: essentially the maintainer and watch file update are cherry picks from unstable which were ok for the stable-security upload I did, so I figured it would make sense to have them LTS too (and be consistent). restricting the watch file to the ceph major version only is just to make my maintainers life easier - otherwise I have to manually change it, run uscan, then revert it back. this can be avoided by making it look for ceph 14.* versions only, rather than all versions. > One final question: could you please detail how have you tested these > packages? normally we test any ceph updates in Debian first on the test cluster, then on the production cluster, and then upload to Debian. given that the production clusters is on ceph 16 resp. 18, I've only tested this update on the test cluster, by deploying it with buster and then upgrading to these proposed packages. The upgrade worked and I didn't find any issues with any of the services. Regards, Daniel
