Thanks Bastian, Utkarsh and Sylvain,

My goal is to clear out any remaining high severity issues and provide better 
responsiveness for back porting during future releases of wolfSSL. At least for 
the 5.7.2 (Trixie) and 5.5.4 (bookworm) versions, I need to see if there are 
others I’ve fallen behind on that are still relevant. It will take awhile to 
get the remaining bookworm issues resolved though, but I am hoping to clear off 
the most recent ones first to get the CVE back porting Debian process down well.

Before I had focused in on only the new testing/SID bundles and the LTS support 
had fallen behind, sorry for that. Completely understand if holding off before 
reversing the EOL on bookworm, but it is our plans to better support the LTS 
versions going forward. Maybe you could wait and see how the next couple 
wolfSSL releases are handled by us? We target a release roughly every 3 months.

Warm Regards,
Jacob

> On Jul 13, 2026, at 6:03 AM, Utkarsh Gupta <[email protected]> wrote:
> 
> Hello,
> 
> On Mon, Jul 13, 2026 at 12:32 PM Sylvain Beucler <[email protected]> wrote:
>>> Let me know if you have any other questions or concerns.
>> 
>> It's great that people at wolfSSL can provide fixes for bookworm :)
>> 
>> Note that we had to mark wolfssl for bookworm as end-of-life ~1.5 month ago:
>> https://salsa.debian.org/debian/debian-security-support/-/blob/master/security-support.deb12
>> 
>> "wolfssl non-supported 5.5.4-2+deb12u2 Crypto library difficult to
>> support in the longterm; see: https://bugs.debian.org/1138294";
>> 
>> We might revert/postpone this decision if there's upstream interest to
>> maintain wolfssl 5.5/bookworm. What are your plans?
> 
> I had a similar thought while replying to Jacob and Bastian.
> 
> I think it's reasonable for these two things to coexist. Even if
> wolfSSL remains marked as end-of-life, we could still provide
> occasional one-off fixes for sufficiently serious security issues when
> someone is willing to do the work.
> 
> Of course, it would be even better if upstream is able to commit to
> providing fixes regularly. Depending on their response and level of
> commitment, I think we could keep the package EOL'd for now, continue
> to accept occasional fixes, and see how that works in practice. If
> that proves sustainable over the course of a few updates, we could
> then consider moving wolfSSL to limited-support, perhaps?
> 
> My main concern is avoiding a situation where we reverse the EOL
> decision prematurely, only to discover later that the LTS team can't
> realistically guarantee ongoing support and have to mark it EOL again.
> 
> Thoughts?
> 
> 
> - u

Reply via email to