Hi Adam, hi Marc, Let me try to explain the goal here as it it might get the impression Adam got confused on seeing this request for the first time.
On Tue, Jan 07, 2025 at 09:58:16AM +0000, Adam D. Barratt wrote: > On Tue, 2025-01-07 at 10:35 +0100, Marc Leeman wrote: > > I'm part of the team that releases the Debian packages of GStreamer > > into Debian. Sebastian had a discussion about a number of stability > > and security issues in the GStreamer 1.22.0 version that is currently > > in stable. > > > > The agreement with Salvatore was to upload the latest oldstable > > release (1.22.12 at the time of writing) to address many of these. > > > > At the moment, all the packages have been prepared in the respective > > salsa repositories [1] in the branches `pristine-tar`, > > `debian/bookworm` and `upstream-bookworrm [2]. > > > > I am new to the process of uploading new stable releases, so looking > > into [3], the packages have the version `1.22.12-0+deb12u1` and > > `bookworm` in the changelog > > I'm afraid I'm a little confused here. > > Salvatore is a member of the Security Team, not the Release Team. The > Security Team are obviously free to agree to whatever updates they feel > are appropriate via the security archive, but if you want to update > packages in stable you need to agree that with the Release Team. So far > as I'm aware, this is the first time the suggestion has been raised > with us. > > As you referenced the relevant section of DevRef, if the request here > is to update the packages via p-u then please file one release.d.o bug > per source package including all the requested information. Let me explain a bit how we come here with a request from Marc. While we were preparing the DSAs for gst-plugins-base1.0 (DSA-5831-1), gstreamer1.0 (DSA-5832-1) and gst-plugins-good1.0 (DSA-5838-1), the last one with a relative big set of commits to address the CVEs, I got in contact with Sebastian, who is both involved in Debian maintenance but more importantly for this case as well upstream. He pointed out to us that the 1.22.x series are actually intended to carry those CVE fixes *and* important bugfixes. The prepared uploads were still good enough and important to get out that we opted to not respin all but in that discussion we agreed that it might be a good idea to approach you, release team and stable release managers to consider doing rbases to those stable versions for the 1.22.y series in a point release. Sebastian approached Marc if he is interested to prepare this work. So this mail serves as proposal for doing so in one of the next point releases (the next one is too late). We (with my security team hat on) would strongly support taht we se switch to those following the 1.22.y branch for the point releases and for upcoming Gstreamer related security fixes. In fact the DSA-5838-1 had one backported patch which on top of the source is correct, but if we would have rebased the version in 1.22.y we would have fixed as well an bug (not a regression!) in the av1 parser. Notably the version in bookworm misses https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/6d2bc8b8cd6ca8d5ea0f82145a6d52235fdcd631 (again we do not regress here as the issue was present before, but it ould have been a nice side effect to fix it as well). Adam does that gives you enough background information on this request? It was not meant as: hey the security team say we can rebase, and "bypass" the repsonability of the release team. Let know please if you need any further information from Marc or Sebastian on specific 1.22.y questions. Regards, Salvatore
