Control: severity -1 important

El 19/05/25 a las 22:26, Bastian Blank escribió:

Source: isc-dhcp
Version: 4.4.3-P1-7
Severity: serious
X-Debbugs-Cc: waldi@debian.org

isc-dhcp is EOL and marked as not security supported. It should not be released with trixie.

See
https://lists.isc.org/pipermail/dhcp-users/2022-October/022786.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035972

Bastian

While I consider that users of isc-dhcp-{client,server} should migrate
to alternative implementation, I think it is too late now to ask for the removal of isc-dhcp, being so close to release trixie.

It is to note that, TTBOMK, there is currently no substitute for isc-dhcp-relay.

https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#deprecated-components
reads:

"The security team will support the isc-dhcp package during the bookworm lifetime, but the package will likely be unsupported in the next stable release, see bug #1035972 (isc-dhcp EOL'ed) for more details."

That doesn't mean that it will be remove in trixie.

debian-security-support/trixie already reflects the above.


The severity of this bug could be risen again after the release. Or the release team could also tag it ignore-trixie.

Cheers,

-- S

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCaC9nOwAKCRAn3j1FEEiG 7zJ+AQCvqrJGuTzqNH2Wrmjej8SVPuQ/yV9bQgHEof0gzcwEigD+LkzW7k3pAbjU 4HMOV6z947z+cs2i+59TzlOYFpRfZA8=
=Mqb+
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-05-22 20:46:34 +0200, Sebastian Ramacher wrote:

Control: severity -1 serious

On 2025-05-22 15:04:43 -0300, Santiago Ruano Rincón wrote:

Control: severity -1 important

El 19/05/25 a las 22:26, Bastian Blank escribió:

Source: isc-dhcp
Version: 4.4.3-P1-7
Severity: serious
X-Debbugs-Cc: waldi@debian.org

isc-dhcp is EOL and marked as not security supported. It should not be released with trixie.

See
https://lists.isc.org/pipermail/dhcp-users/2022-October/022786.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035972

Bastian

While I consider that users of isc-dhcp-{client,server} should migrate
to alternative implementation, I think it is too late now to ask for the removal of isc-dhcp, being so close to release trixie.

It is to note that, TTBOMK, there is currently no substitute for isc-dhcp-relay.

https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#deprecated-components
reads:

"The security team will support the isc-dhcp package during the bookworm lifetime, but the package will likely be unsupported in the next stable release, see bug #1035972 (isc-dhcp EOL'ed) for more details."

That doesn't mean that it will be remove in trixie.

It's dead. Except for fai-quickstart all reverse dependencies have MRs.

Okay, only libguestfs has a MR. But still …

I am all for getting it removed.

Cheers
--
Sebastian Ramacher

--
Sebastian Ramacher

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, May 22, 2025 at 03:04:43PM -0300, Santiago Ruano Rincón wrote:

While I consider that users of isc-dhcp-{client,server} should migrate
to alternative implementation,

What is the alternative implementation for isc-dhcp-relay?

Greetings
Marc

-- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, May 23, 2025 at 10:37:11AM +0200, Chris Hofstaedtler wrote:

On Thu, May 22, 2025 at 09:37:05PM +0200, Marc Haber wrote:

On Thu, May 22, 2025 at 03:04:43PM -0300, Santiago Ruano Rincón wrote:

While I consider that users of isc-dhcp-{client,server} should migrate
to alternative implementation,

What is the alternative implementation for isc-dhcp-relay?

dnsmasq appears to have an DHCP relay implementation. I have not
tried it.

I think that we (Debian) should be able to give an answer to those
questions before pulling ISC DHCP.

Greetings
Marc

-- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

El 22/05/25 a las 20:34, Bastian Blank escribió:

On Thu, May 22, 2025 at 03:04:43PM -0300, Santiago Ruano Rincón wrote:

"The security team will support the isc-dhcp package during the bookworm lifetime, but the package will likely be unsupported in the next stable release, see bug #1035972 (isc-dhcp EOL'ed) for more details."
That doesn't mean that it will be remove in trixie.

So you will support this package?

Support in which terms? As mentioned already, it won't have security
support: https://salsa.debian.org/debian/debian-security-support/-/blob/c6f47cb42decabe13f064c8ab0aba75dd5be9b1c/security-support.deb13#L23

There are non-security bugs to be fixed, yes. But users cannot expect
security issues to be fixed.

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCaDCNrQAKCRAn3j1FEEiG 7yGrAPwKDAZnXaumHAF++jIa2/yS2GvHQsHJ2YclXevcBkbaAAEA7+CJcm7G4K1q NvzXu4KyiqJtPB4BjRRvJX1LXAR1lA8=
=kLCt
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am Tue, Jun 03, 2025 at 09:44:42AM +0200 schrieb Sebastian Ramacher:

Hi

On 2025-06-02 00:25:41 +0200, Lorenzo wrote:

On Thu, 22 May 2025 20:46:34 +0200 Sebastian Ramacher <sramacher@debian.org> wrote:

Control: severity -1 serious

Hi Sebastian,

I'm a bit surprised about the timing of the removal, is this the final
call about the severity from Release Team?

Bug severity and removal are two different topics. But unless the
security team re-evaluated their position on support for isc-dhcp, this
is a bug of serious severity. Security team, has your viewpoint on
isc-dhcp changed?

We marked it as unsupported a long time ago, but whether this means
that it not should not be part of trixie is an orthogonal question.
We have other packages in trixie and earlier releases which are not
covered by security support (e.g. qtwebkit/qtwebengine).

Anyone using it can make their own call what the lack of security
support means for their deployment, there's certainly some use cases
where a lack of security updates is still perfectly fine.

Any for anyone who this isn't, there's the possibility to move from
ISC DHCP to Kea within bookworm given it ships both.

From my PoV this could also be handled by
- tag #1106121 trixie-ignore
- maybe add a specific note to the release notes to make the lack
of updates more visible than just src:debian-security-support
- update the package to just build the DHCP relay shortly after
trixie is released (to avoid having the same discussion two months
before the forky release). And remove it for good when a replacement
has emerged for the DHCP relay.

Cheers,
Moritz

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)