• Bug#1103733: h2o version in Debian is long past upstream EOL and upstre

    From Chris Hofstaedtler@21:1/5 to All on Mon Apr 21 13:00:02 2025
    +CC: co-maintainer, last uploader

    * Demi Marie Obenour <demiobenour@gmail.com> [250421 09:09]:
    Upstream H2O no longer makes releases (https://github.com/h2o/h2o/3230)
    and the tagged releases are therefore EOL and do not get security patches >anymore. This means that there might be upstream vulnerabilities that
    affect Debian's H2O package.

    I recommend either dropping H2O from Debian altogether [..]

    This might be an option. dak tells us, only netdata build-depends on
    it, however netdata is not part of testing currently:

    $ dak rm -R -n h2o
    Will remove the following packages from unstable:

    h2o | 2.2.5+dfsg2-11 | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
    h2o-doc | 2.2.5+dfsg2-11 | all
    libh2o-dev | 2.2.5+dfsg2-11 | amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
    libh2o-dev-common | 2.2.5+dfsg2-11 | all
    libh2o-evloop-dev | 2.2.5+dfsg2-11 | amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
    libh2o-evloop0.13t64 | 2.2.5+dfsg2-11 | amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
    libh2o0.13t64 | 2.2.5+dfsg2-11 | amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x

    Maintainer: Apollon Oikonomopoulos <apoikos@debian.org>

    ------------------- Reason -------------------

    ----------------------------------------------

    Checking reverse dependencies...
    # Broken Build-Depends:
    netdata: libh2o-dev-common

    Dependency problem found.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Anton Gladky@21:1/5 to All on Mon Apr 21 15:30:01 2025
    Hello all,

    I agree to drop it and will file an RM bug.

    Regards

    Anton

    Am Mo., 21. Apr. 2025 um 12:48 Uhr schrieb Chris Hofstaedtler <zeha@debian.org>:

    +CC: co-maintainer, last uploader

    * Demi Marie Obenour <demiobenour@gmail.com> [250421 09:09]:
    Upstream H2O no longer makes releases (https://github.com/h2o/h2o/3230)
    and the tagged releases are therefore EOL and do not get security patches >anymore. This means that there might be upstream vulnerabilities that >affect Debian's H2O package.

    I recommend either dropping H2O from Debian altogether [..]

    This might be an option. dak tells us, only netdata build-depends on
    it, however netdata is not part of testing currently:

    $ dak rm -R -n h2o
    Will remove the following packages from unstable:

    h2o | 2.2.5+dfsg2-11 | source, amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
    h2o-doc | 2.2.5+dfsg2-11 | all
    libh2o-dev | 2.2.5+dfsg2-11 | amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
    libh2o-dev-common | 2.2.5+dfsg2-11 | all
    libh2o-evloop-dev | 2.2.5+dfsg2-11 | amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
    libh2o-evloop0.13t64 | 2.2.5+dfsg2-11 | amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
    libh2o0.13t64 | 2.2.5+dfsg2-11 | amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x

    Maintainer: Apollon Oikonomopoulos <apoikos@debian.org>

    ------------------- Reason -------------------

    ----------------------------------------------

    Checking reverse dependencies...
    # Broken Build-Depends:
    netdata: libh2o-dev-common

    Dependency problem found.


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bastian Germann@21:1/5 to All on Thu May 1 16:30:02 2025
    Control: severity -1 serious

    On Mon, 21 Apr 2025 15:17:09 +0200 Anton Gladky wrote:
    I agree to drop it and will file an RM bug.I am raising the severity to trigger autoremoval before trixie.
    The RM bug is blocked currently.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)