Hi Santiago,

Quoting Santiago Ruano Rincón (2025-02-13 20:21:10)

Here attached you can find a list of packages that have ever had a
security issue **and** whose packaged version is not "up to date",
according to the uscan results. It is sorted by the number of currently
open CVEs in sid (the first "column"), and by the number of security
issues ever (second "column").

So, this is a call for comments: is this kind of package list useful?
I'd say that the CVEs open in sid are not critical nor have a
high-severity, but it would be nice to have them fixed, as soon as
possible. If having this list available somewhere is a good idea, could
it be "integrated" into UDD somehow? As a cgi-bin that outputs a json
file?

This is also a call for action/help proposal*: I would like to invite
the related maintainers and teams to evaluate if it is worth it to
package the latest upstream version of the listed packages, and try to
make it for trixie. I know that the time is really short, and this kind
of call could be improved and made it earlier for the next releases.

It would probably be helpful to also share the result of somehow running
the compiled list through dd-list, to raise attention for involved
maintainers.

- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones

[x] quote me freely [ ] ask before reusing [ ] keep private --==============Q42447928564163124=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

wsG7BAABCgBvBYJnrkksCRAsfDFGwaABIUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmdIaOBu3CYhknJsd9jephY/bzYvX1FOLifVYLR95cmQ pBYhBJ/j6cNmkaaf9TzGhCx8MUbBoAEhAADSNw//UmIv+ydf39zDFO27tOrckYED S5ghuz8rwbMybJ60IVDfrXSluwcjRm0g3rf2iwSZ+xmgfRDrXM0tkdAH6tN7qONF bnOMUoTMfbKWwK01ufqs6s+f2c5o5gYSnucX8/8+Nik5jEAH2Ym9IYMwctmFt8Ua BAdlQsJwHRCrQyD7joLwgFeUufLMZLYTNHv54Wuv6482pkIfILkMexiVRVk2vEmb 9UN98ei2hEQnt0ikcYIeAPaIWdIElhTiTVBGbqgm0pKMRfwzjU279ASwFI5iNBpa nnXl1IaBDtJlIG9/fdXYtgx5tQWggMggRDeoCuyTUcaEpEQFUciOQkm48iH0NQnV VjVMy8GiFXBpqy+zwmDkN3vd01NU7Lfa2U+xo3VJ

On 2025-02-13 16:21:10 -0300 (-0300), Santiago Ruano Rincón wrote:
[...]

So, this is a call for comments: is this kind of package list useful?

[...]

The main problem I see is that the list includes projects who
backport security fixes to stable branches, so for example python-keystonemiddleware 10.7.1 is the latest point release on
their stable/2024.2 branch, while 10.8.0 is a development release on
their master branch. Both include the same security fixes,
therefore 10.7.1 isn't outdated even though there is a higher
version number available.

I see at least a few projects in your list I recognize as being in
the same situation, but no idea how many more there might be.
--
Jeremy Stanley

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmeuVP9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WCn1Lw//TITyS/NRS86oZ8oNvlcz8/G4MNX8qGU96b7fLxygR63Bjiv9C4UtjbCE cD7pZznO6opt8Qw/5pXmKOXoal3DjRQbAGoAe1T2/4ngPL3iqJ4QbJ7aX+OkCmwq DDJWqOUULIsm1Vqmn9mPpRUOHnK2dPjR+kIbb3kEQJXdZpf2JGdZ9cpRJZHmdJCU a7AoY18bISZuc2H+u6O4GCtdlaCD/dizqayZ7jtTK4fTpYNNdfESlrIDTPLaZHzC zsaehLwjy/cn0I/j/nrgDipd31zTaK62aVPKG8zHwj9EV1ppzKjxj7QCkjkMvyPn dWNU4mJ8lXTVPmi/AxKCvP4oPFVp/UgqJS7ObFfewe9BiyEF8gYa00TvYNUlTKF3 r/6fPyx1DjgUVS/24RRL4FvwFo9SHa+/Bt/sDC/D2rFkdorlEKDoP/N0F65KCYyL bmyHBjk/5AiwdmbWE9MytVcdELM17Qo1XISH5euPDorEDIeAuf7Lj0EpYhGnR5u1 ovNoJzm/khhS+KYQbLN+KL1lWAnn8xN18z05jblef7OHGqj7ozdWhrj0ull2R8DK 2N1TXgpoyOF62XluXUItAzQ9hEx3CxI1FxOPDitdSE/dY8gTT4gkdPhYm9qJyQ0I f4lMtbD5/c0YgJaesvKUhBUvkPkoofaoF0k0lIKg+39OzMglvsQ=
=ZrA4
-----END PGP SIGNATURE-----

--- SoupGate-Win32

To: debian-devel@lists.debian.org
To: team@security.debian.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------pk9CwhSiew0Wz5ue0H67Qt6o
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

SGksDQoNCk9uIDEzLTAyLTIwMjUgMjA6MjEsIFNhbnRpYWdvIFJ1YW5vIFJpbmPDs24gd3Jv dGU6DQo+IEFueSB0aG91Z2h0cz8NCg0KDQpZb3UgbWlnaHQgYWxzbyB3YW50IHRvIHNvbWVo b3cgdGFrZSBhY3Rpdml0eSBvbiB0aGUgcGFja2FnZSBpbnRvIA0KYWNjb3VudC4gRS5nLiBj YWN0aSAodGhhdCBJIGFtIG5lYXJseSB0aGUgb25seSB1cGxvYWRlciBmb3IpIGhhcyBzZWVu IGFuIA0KdXBkYXRlIGZvciBDVkUncyBvbmx5IGxhc3Qgd2Vlay4gSSBkb24ndCB0aGluayBJ IG5lZWQgKG5vciB3b3VsZCBJIA0KYXBwcmVjaWF0ZSkgbW9yZSBuYWdpbmcuDQoNCkhvdyBk byB5b3UgZW52aXNpb24gKnVzaW5nKiB0aGlzIGxpc3QsIGV4Y2VwdCBoYXZpbmcgdGhpcyBk aXNjdXNzaW9uIGFuZCANCnNoYXJpbmcgYSBkZC1saXN0IGFzIHN1Z2dlc3RlZCBieSBKb25h cz8gRmlsZSB3aXNobGlzdCBidWdzIGFnYWluc3QgdGhlIA0KcGFja2FnZXMgaWYgdGhleSBk b24ndCBleGlzdCB5ZXQgKHRha2luZyB0aGUgZmlyc3QgcGFyYWdyYXBoIGludG8gDQphY2Nv dW50IHRvbyk/DQoNClBhdWwNCg0K

--------------pk9CwhSiew0Wz5ue0H67Qt6o--

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmeuXKAFAwAAAAAACgkQnFyZ6wW9dQot YAgAs3eLb0lCuXeiCsd3f66nGhXKS2Q2b+3FLeWL+CaoAaZgtKcBdgZcl57YLhpokDg9JNP1mG3f JoYzA1HkKuHpJbbvBXPjfWQ8GwDHcqauU9rfXY3YmirWZ6L0QF/S6J3oQ5xTimfhPOT+37MBgVwe wqzKeddjAXPKYSVTEVMLGWNpXsX2YSqhB3+9aYc2v+EYRcg0thhNzW3H0WG67w8C/Qt9N8cF3sns 55dNJMcaaA+LT+f4CKTLTao6i1QJr+ak6gX9FT7FI7Fi5uEg5yBI6hwAsL0hdYVYQsBXr8VEWWB7 bsXwQ1AxXgj8qmb3f9zEd8W6EYQTKoQvC0V+NbQhoA==
=yPYN
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Feb 13, 2025 at 08:34:07PM +0100, Jonas Smedegaard wrote:

Hi Santiago,
It would probably be helpful to also share the result of somehow running
the compiled list through dd-list, to raise attention for involved maintainers.

I want to say: yes. :) please do.


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

Dat gifft in Plattdüütschen keen Woort för „Flüchtlinge”. Dat sünd allens Lüüd,
Mischen, Kinners, Olle, Froons, Mannslüüd, so as Du un Ick.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmeuXtYACgkQCRq4Vgaa qhwgGg//eGS5Opv1A0oVsGmeV585A6ZVgx0Dax91a27VwKfZo3EXlRWrivsTY2My feCCG7D9uizuXboP/ahqi4KnAw+Hg5YEdC9RwA2JVIy1zC0Jt6G3ukPYI00rrBdn Rot990a5hLI4lGgozb5Pv/C51gxwBl3TePEcp9RHk94ttTNugbN8z/0P1U4aCHUU flWjbgc4j5CkCHnqML+lvUQhgDQUS/3giNX5zVI+r7SspmTZZfm+JB2V9NibJfq4 AUSOF8+otya9NnolGw1KIt1y6W9ELyu6X8wdteYDoueISRe2Y7Tu2iM2viUGaUJJ fwo704M8FfrowJrc3RfHR2CHl+lwsd4IwLfrTOCQo39WkgdkAtUinA1tkNlmHUVA j7aZ/ASHgyhDkYpuEVJtxKdZwuf0xXn6+9ybkGVdZeyMr/yGw4R00hMv3+zVyfGr Ld55Fyhb2HHZwyMONcjN4rXFZi51jd71HaZczKj10IdGV1QJCO+eoyy+uKBq7ELu f5KJRZdklPuGMaNfO9GBRBRe

On Thu Feb 13, 2025 at 8:57 PM GMT, Paul Gevers wrote:

You might also want to somehow take activity on the package into
account.

Absolutely. E.g. the new OpenJDK 11 package came out a week ago. It
would be interesting to see which packages in the list have a much
larger gap, such as years.


--
Please do not CC me for listmail.

👱🏻 Jonathan Dowland
✎ jmtd@debian.org
🔗 https://jmtd.net

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Santiago Ruano Rincón <santiagorr@riseup.net> [250213 20:21]:

Here attached you can find a list of packages that have ever had a
security issue **and** whose packaged version is not "up to date",
according to the uscan results. It is sorted by the number of currently
open CVEs in sid (the first "column"), and by the number of security
issues ever (second "column").

So, this is a call for comments: is this kind of package list useful?

Just having the list does not add anything new. All software can
have security bugs, so this list devolves to "packages that are not
uptodate wrt to upstream".

ddpo already has my list of packages that I should be updating.

Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 14 Feb 2025 14:44:47 +0100, Chris Hofstaedtler
<zeha@debian.org> wrote:

* Santiago Ruano Rincón <santiagorr@riseup.net> [250213 20:21]:

Here attached you can find a list of packages that have ever had a
security issue **and** whose packaged version is not "up to date",
according to the uscan results. It is sorted by the number of currently
open CVEs in sid (the first "column"), and by the number of security
issues ever (second "column").

So, this is a call for comments: is this kind of package list useful?

Just having the list does not add anything new. All software can
have security bugs, so this list devolves to "packages that are not
uptodate wrt to upstream".

Especially if the list just goes the (wrong) way of so many commercial
security tools and/or consultants who just compare version numbers and
flag our stable versions as vulnerable regardless whether we have
patched vulnerabilities or not.

Just parsing version numbers is easy, it has been done hundreds of
times, and each one of those times is wrong and a waste of resources,
both of the instance who compiles and compares, and on our side to
verify the suggestion.

Greetings
Marc
--
---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Feb 14, 2025 at 03:28:35PM +0100, Marc Haber wrote:

Especially if the list just goes the (wrong) way of so many commercial security tools and/or consultants who just compare version numbers and
flag our stable versions as vulnerable regardless whether we have
patched vulnerabilities or not.

But it doesn't. Santiago's using the data from the security tracker to determine whether CVEs are open.

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Feb 14, 2025 at 02:44:47PM +0100, Chris Hofstaedtler wrote:

Just having the list does not add anything new. All software can
have security bugs, so this list devolves to "packages that are not
uptodate wrt to upstream".

I'm not sure that's quite right. It's a _prioritized_ list of packages
that are not up-to-date with upstream. When I look at team pages such
as https://udd.debian.org/dmd/?email1=team%2Bpython%40tracker.debian.org&nosponsor1=on&email2=&email3=&packages=&ignpackages=&format=html&onlytesting=on#todo,
some kind of prioritization of which packages out of the huge pile are
worth paying more attention to than others is useful to me.

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Santiago Ruano Rincón <santiagorr@riseup.net> writes:

Any thoughts?

I'm sure there are things up near the top of the list that do need a
closer look, but picking a package that I'm responsible for:

0, 1, openqa, (4.6.1732034221.ae34b08ff -> 4.6.1739296030.77d38ef),

by the time you get down that far, it's probably just pure noise.

In the case of openqa, a) I uploaded that on Jan 23rd, and b) upstream
treats every commit to their master branch as a release, so there is
basically no way of ever satisfying your up-to-dateness test, because
there will generally have been another commit before a package makes it
through the buildds let alone making it into testing.

Having said that, I applaud the effort, but a few more filters would
appear to be needed for it to become properly useful.

Cheers, Phil.
--
Philip Hands -- https://hands.com/~phil

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3/FBWs4yJ/zyBwfW0EujoAEl1cAFAmevoaMACgkQ0EujoAEl 1cAtEBAAwj+WM1taaaXWFKD6Iz1BlC1nVObmteDnv3FKacV/Et6PtuzRIBxMkqlJ lg0UJt2K/U/zZ8/ATyK7LOdP/LUDvVkAzUzowzTNtukLdfA7kxweCTZTvi7OGVkA azYT93pUW4yWYf5XqA0siMbpk3CnO/fQTIRnc/qDzyQUJv27l+jYdu199JwzuOW8 Tbz6LvVGQEgh/ko8jubmxQVdgFB6K/CwUs2bifvVqArlTknbkbMWpt27ipzbFb8E vnRrhpz9eL+RNJrK6LDfBw+x/fUbmjSzHIHq/8kqQ4ZxaVv9D7wuEn/TtsU2OKnA se8zmJB7XBHJClQpE968fOWXadNTt53W/IqaDpntbd6v06tAADl67tnI412FsFiA 7DHX50/+rMUhyiSSlAM3D5sXKM051QfW2qnVmBFL4vRmBRYadalDxyZYGsxCBWoT 8a1oJlXe/VIgkkkqt6TmTEGwU+YWsUnAbA1LOsMlHdjRt+oRVxha/d0wrIvICmFP EHnCJplPKwGH0JTQoiwovPcuCKZFGNOeDAW/v0w75YZSelBKsWjpHCq0jN1s5px1 L5m526KQ5L6cpiCnZugcRLmonJLAgGFixZ6MLjHTMaqKJ5bkisrpwoBwSQ5652aR Xur2+VC8JnIhN/mrB9o+/IxC9v7/Ei/f/rFjFTDwCuoOTNz0QWUvOD
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway

On Fri, 14 Feb 2025 17:12:48 +0000, Colin Watson <cjwatson@debian.org>
wrote:

On Fri, Feb 14, 2025 at 03:28:35PM +0100, Marc Haber wrote:

Especially if the list just goes the (wrong) way of so many commercial
security tools and/or consultants who just compare version numbers and
flag our stable versions as vulnerable regardless whether we have
patched vulnerabilities or not.

But it doesn't. Santiago's using the data from the security tracker to >determine whether CVEs are open.

Good. Don't we have debsecan for that? Or the security tracker itself?

Greetings
Marc
--
---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Colin Watson <cjwatson@debian.org> [250214 18:13]:

On Fri, Feb 14, 2025 at 03:28:35PM +0100, Marc Haber wrote:

Especially if the list just goes the (wrong) way of so many commercial security tools and/or consultants who just compare version numbers and
flag our stable versions as vulnerable regardless whether we have
patched vulnerabilities or not.

But it doesn't. Santiago's using the data from the security tracker to determine whether CVEs are open.

I understood Santiago looked at all packages that ever had a
security issue reported. The two of my packages in the list would
support this interpretation.

I don't see how this is a meaningful prioritization.

Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Feb 14, Colin Watson <cjwatson@debian.org> wrote:

But it doesn't. Santiago's using the data from the security tracker to determine whether CVEs are open.

And in the case of one of my own packages these CVEs have not yet been
fixed upstream, not even in an unreleased branch.

--
ciao,
Marco

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCZ7JHXQAKCRDLPsM64d7X gZOuAQDT8+pPTgU/Po3sVw8T2sRlmi+35LxUcT2oi4Wm4rldpgEA8rxymwjQ3Ny8 nJD75UFmAfBvweZVpP9K5Gk4tJEaLQY=
=Q8c8
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

El 13/02/25 a las 21:57, Paul Gevers escribi�:

Hi,

On 13-02-2025 20:21, Santiago Ruano Rinc�n wrote:

Any thoughts?

You might also want to somehow take activity on the package into account. E.g. cacti (that I am nearly the only uploader for) has seen an update for CVE's only last week. I don't think I need (nor would I appreciate) more naging.

Thanks for this comment, acknowledged.

How do you envision *using* this list, except having this discussion and sharing a dd-list as suggested by Jonas? File wishlist bugs against the packages if they don't exist yet (taking the first paragraph into account too)?

I think that reporting bugs would make sense, and it is the first idea
that naturally came up to my mind. In any case, I was not thinking in
blindly running mass-bug filing.

Other than to take into account recent activity, I think it is important
to look for possible reasons for not packaging the version reported by
uscan, before filing a bug report.
Maintainers may have different methods to keep a package up-to-date,
e.g. (again) nginx, for which keeping ABI/API stable is also important.
So, I was *not* planing to file bugs for all of the packages listed
there.

To answer other comments in this thread, yes, more filtering would
enhance this list. I acknowledge that the current script and list is not perfect.

Cheers,

-- Santiago

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCZ7PragAKCRAn3j1FEEiG 7/pfAQCKj4feL/kFCMG05wKJ8Rk0kQLtnrWJq5DNoskXBml1wQD+PyMPlvVQuLBu MwaFjmipUad0fElbrvmTitQJaMF5TA8=
=QQv6
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

El 16/02/25 a las 21:15, Marco d'Itri escribi�:

On Feb 14, Colin Watson <cjwatson@debian.org> wrote:

But it doesn't. Santiago's using the data from the security tracker to determine whether CVEs are open.

And in the case of one of my own packages these CVEs have not yet been
fixed upstream, not even in an unreleased branch.

Yes, and those are examples of the "false positive" cases I was
referring to originally. I am not aware of any way to automatically
filter them, as of today.

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCZ7PtXAAKCRAn3j1FEEiG 75qiAQC7MmpoULAmGiSsAIkkPEfAKvxRGXoRuiNMjYUoQeaEIgD/QoL/9HsmqiOC dJK6X19/DdQat06BFaDwzUWRO4gNJQE=
=SF3L
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Feb 17, 2025 at 09:42:21PM -0500, Paul R. Tagliamonte wrote:

CVEs are not perfect. CVE count is, charitably, a proxy for how much
security attention / research it gets (hopefully that is, in turn, a proxy
for how important a package is). Not so charitably, it's perhaps a proxy
for how many people who want to build a reputation as an expert have spent
time finding something that would pass minimal�scrutiny�as a security
issue.

This is really the central point of the issue. In the instances I have observed, we are usually talking about a *real* issue, but most often
not one that deserves to be considered a CVE, and even less deserves
some arbitrarily inflated CVSS score. Fixing the issue is good, but
dealing with all the CVE and CVSS noise is a pain.

There are plenty�of security issues that are solved via normal bugfixes�by
people who never realize the security implications of their bugfixes. In
important security sensitive places, too!

In theory, any abnormal program behavior has the potential to carry a
security implication. And in one project I have actually seen where
there was a push to retroactively designate CVEs for past bug fixes that
it turned out had some kind of specific security vulnerability
associated with them. It was very bizarre, and I took it as a sign that
the "everything has to have a CVE and every CVE must be fixed" mentality
is infecting more and more parts of the software development world.

Updating to the latest upstreams is a good idea for lots of reasons, but I
don't totally understand the nexus to CVE here. Don't let me dissuade you
from doing good work here, but I reckon CVE counting is likely going to
lead to a lot of very weird non-security related biases which you�may or
may not actually want.
FWIW this will solve one real problem: Lots of companies complain
endlessly and mindlessly about CVEs based on package version(s) without
regards to the issue being exploitable or even reachable (or built into
the binary, in some cases!). Closing CVEs out will no doubt make them
complain less, which sounds nice.

I have seen lots of mindless complaining based on package versions, and
I agree that something like this effort is likely to reduce the
occurence of that sort of thing. And, yes, CVE is probably not a great
proxy. But Santiago has discussed this with quite a few of us on the LTS
team at various points along the way, and a better proxy hasn't been
found.

Regards,

-Robeto
--
Roberto C. S�nchez

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-02-18 08:55:55 -0500 (-0500), Roberto C. Sánchez wrote:
[...]

In theory, any abnormal program behavior has the potential to carry a security implication. And in one project I have actually seen where
there was a push to retroactively designate CVEs for past bug fixes that
it turned out had some kind of specific security vulnerability
associated with them. It was very bizarre, and I took it as a sign that
the "everything has to have a CVE and every CVE must be fixed" mentality
is infecting more and more parts of the software development world.

[...]

Agreed. In projects where I do vulnerability management work, we've
mostly given up pushing back on things others want to file CVEs
about in our projects. Our view is that we decide what does and
doesn't get an official advisory published, and we'll request a CVE
assignment for that ourselves if one hasn't already been issued, but
if anyone else wants a CVE for something in our software they can
get one themselves and we generally don't have the time or energy to
burn on disputing those. If someone comes to us about one of those third-party-issued CVEs not being fixed or fixes for it not getting
backported, we remind them that we don't consider it a vulnerability
and they're free to take it up with whoever requested or issued it.
--
Jeremy Stanley

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAme0lfBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WCmAcxAAn31bAT82QkwoTF5FBWsyY8VDjxQlU85EVOwFH9UgRslBZj5f3fLDl15/ /M2+eZ7RjUUuP1+nAoIOBV28Z/lJawnYATwRBkQRNw72jMcWBg7SkUOZpxVgozWm PzisJh7y3WTGKTere5DdoTUf+w9Pt4+vX7xa6AAGcBFBW01m3KIdeCbKI56MKHTO aiLLKhLXH+PVjSfaR9x5icip0GX6KgRQHvLyGeDxrQsjpNTnzQKsNke57WOfm3c5 x+n6AU3zmFDqFnfVm7NgkMMJzFhDsBmwvP3WOI8Ashq3rjDEJtSpr1weRtR5rUPU pig9at6/VLWONGW2lw4F7ebguOZL+zQDFz/xfadCDiobouL2/iRdT1EMeZzROmPv FKxDf7hCljTiIi2Ltj6zVlwF1f7rfrYIMjscfo3OVmCDZSQAQ9sRBzn2ts/oUDGG HyvJVqWvDcs+5sf12YreMIMT85C/BoNhrejjtvnUBdxTUE6sU5PtWjN/nXOTJKux UGER1Zu20ktpHI0y7F6GqBdaRxyxgA5h7b8YzlgBuFaatrYAdyqP60Nx+cXLxAiL 35fhENvvSdFQu6p1tLOENUdDV6E66WAN/eWcKxIL3hE85FlDl2q88SGoDdcejzj9 SnP+cM1XwiQO850vnSL5bHNo+QQROc7HF1hcG92wvbLU252w2xI=
=e1T3
-----END PGP SIGNATURE-----

--- SoupGate-Win32

"Santiago" == Santiago Ruano Rincón <santiagorr@riseup.net> writes:

Santiago> Dear Debian fellows, I am writing this email under the
Santiago> hypothesis that having the latest (or longest supported)
Santiago> upstream version in the next release will: 1. make it
Santiago> easier to provide security support during the whole
Santiago> release lifecycle, and 2. it will be useful for users, as
Santiago> they could have the latest features and bugfixes, in case
Santiago> of minor point release updates.

I found this really cool and thanks for doing it.
I think some of the issues others have raised are valid, and I don't
actually know what next steps ought to be with this data.
I know that for myself, I found reading through the first few hundred
entries in your list was interesting and gave me a snapshot of Debian I
was not getting elsewhere.

Thanks for doing the work and please continue to think about how this
could evolve.

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQSj2jRwbAdKzGY/4uAsbEw8qDeGdAUCZ7TgLQAKCRAsbEw8qDeG dNRgAPkBYWJubvDEnRS8N+ZwarJNbcFweNXMbdHIr2phgwxuMQD/WWlj0yrw2BCX AYsUxASdc17ij9Kd04cuxUDZtcef/AM=/cWy
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Mon, 17 Feb 2025, Santiago Ruano Rincón wrote:

Other than to take into account recent activity, I think it is important
to look for possible reasons for not packaging the version reported by
uscan, before filing a bug report.

I actually see it the other way. When a new upstream release has not been packaged into Debian one month after its release, as a user, I'd like to
know why. Having a bug report open would allow the maintainer to comment
and leave some explanation, whatever it is.

It could be that he has no time and would gladly accept help. It could be
that this is not an LTS release and he will only package LTS releases. Or
it could be that it's just a minor release and he intends to update the
package just once a couple of months before the release. Or the new
upstream release requires a new dependency that we don't have yet, and
he's waiting on that, etc.

So provided that we don't spam maintainers with "new upstream release"
bug reports hours after the upstream release, and that we don't open new
bug reports for as long as the former one has not been closed (but instead update the existing bug with the new information), then I would be
pretty much in favor of automating the creation of such bug reports.

Cheers,
--
⢀⣴⠾⠻⢶⣦⠀ Raphaël Hertzog <hertzog@debian.org>
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋ The Debian Handbook: https://debian-handbook.info/get/
⠈⠳⣄⠀⠀⠀⠀ Debian Long Term Support: https://deb.li/LTS

-----BEGIN PGP SIGNATURE-----
Comment: Signed by Raphael Hertzog

iQEzBAABCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAme3MA8ACgkQA4gdq+vC mrllOwgAk14ZSEnlyUkNyfD32GD8YjuTj8d1060fSijNh+vpMYrw+sPHuzWB+oco qXa9Gq2vuYWiJAZG/t+cFH5v5UqhgHrQfDcKXSgBoRHcLupha/RBgRFWECma1TN1 z1yb+NtslsWKrRG/ZrIRY87CnbC7/y22ZkmLT1WrAhaIskXCQ0LCM38d9mWni7u7 ff92feH9YbJGJOzU0yRGQTI7TsquSwOx3LIewpF63S39gzmetlVNwEIN+GqkXBhQ WSACJTQ04Ep6TCKzWVh64X9+LW8S1gqLKfbyQuEktSq1yZwWZpez+8Cg2eqljf3+ DcgyOm9H7v1SkhxK0C5FdPp9NI7FzA==
=C8I4
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Santiago,

thanks a lot for this list. As others mentioned it would be helpful to
add the maintainers to the list and I agree. ;-)

I spotted some specific packages I like to comment on (but I might
have missed others I should comment on)

Am Thu, Feb 13, 2025 at 04:21:10PM -0300 schrieb Santiago Ruano Rinc�n:

num of open CVEs in sid, num of historical CVE, source name
2, 21, wget, (1.24.5 -> 2-latest),

We have wget and wget2 as different packages. I've fixed the watch file
of wget in Git[1]. I'll talk with the maintainer how to proceed.

2, 19, fis-gtm, (7.1-005 -> 7.1-006),

Its Debian Med team maintained but we somehow lost contact to upstream.
The upgrade to latest upstream should be no problem and we *assume* that
the CVEs are fixed but its not confirmed, thought.

0, 13, cimg, (3.5.0+dfsg -> 3.5.2),

Just building latest upstream (which should be done in any case). For practical security issues I do not really expect severe problems even
for LTS Debian. Upstream is very responsive and might even help for
older versions.

Thanks again and I hope I did not missed anything important in this
list.

Kind regards
Andreas.

[1] https://salsa.debian.org/noel/wget/-/merge_requests/1

--
https://fam-tille.de

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

So provided that we don't spam maintainers with "new upstream release"
bug reports hours after the upstream release, and that we don't open new
bug reports for as long as the former one has not been closed (but instead update the existing bug with the new information), then I would be
pretty much in favor of automating the creation of such bug reports.

I don't think that would be very useful. Not for me at least.

There's my QA page https://qa.debian.org/developer.php?login=ltworf where all the packages with a newer version upstream have a red version in the "watch" column. So I know exactly which packages have new versions.

As to why I haven't done anything about it, depends on the specific package. Usually lack of time.

--
Salvo Tomaselli

"Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
-- Galileo Galilei

https://ltworf.codeberg.page/
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEQnSLnnbYmXmeH74Us6fPDIAYhs8FAme5jdIACgkQs6fPDIAY hs/7fhAAqhAm05VZ7SrECBBIGLdu2knTxiiY54pHzuCJZlamcEEyVujCar+rCf0F F57QddRzVk8hq85ohmcEKoVPtKDnuAwbXju8ifx8PMNoGXwA4XsM0xf9LuY8nqCn VyGMbhzz8b61dctS22f5cEHGYIJOqEHyLGfp8BpkpvrVw8Po5jXP0IAZXInvhLnJ UaDRV/N792aSCJT/OI0GIXhlhXh16uA9W+JWKQUORTFcvkhCm0yIyUn94WIzElSS YeZVwecl0l0131WffLvPps1blY1gNL7FbUEPEZYfIbVx+i7V3UZu6i/uDlDJL0dJ 5IOJ3bNaTa9TpX2V57sa6kQmRjwLQWh8SxkynOrXJruo2RsBVy2ld+HMUHGBhd+6 7kGMFI1/K8Q5DvookIuFW1Fd0ph4eWDLK2vP9a9kSzW5jyrxJM9jDGAtTysRtKTH 6dBS9VupfFbpBjENCq4SXjK6ceNI2O15u96Zn0YuHDANW/bRMtdj5LxppnAQBMbw YzvCZBbk33UEqxmQEwKcnnmB02e9oVWHZ5sdTuWYqTOcv43VosDxq05dYWlKmEes hsBiGn5icvWtZ1Tuh3vmAP/IIvre2AHOhhnDsb1lBl3bke69kz2ZeayEeDvxpYDk osP2ADKcXHdjI2mtcXMR8MuxaHx12rNVmE5zqq17DTiWbldoEGw=
=IwbP
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Feb 22, 2025 at 09:41:54AM +0100, Salvo Tomaselli wrote:

So provided that we don't spam maintainers with "new upstream release"
bug reports hours after the upstream release, and that we don't open new bug reports for as long as the former one has not been closed (but instead update the existing bug with the new information), then I would be
pretty much in favor of automating the creation of such bug reports.

I don't think that would be very useful. Not for me at least.

There's my QA page https://qa.debian.org/developer.php?login=ltworf where all the packages with a newer version upstream have a red version in the "watch" column. So I know exactly which packages have new versions.

As to why I haven't done anything about it, depends on the specific package. Usually lack of time.

The question is really whether you would be open to someone packaging a
new upstream release for one of your packages and then whether you would
prefer to review the package before it is uploaded or not (clearly, this depends much on the reputation of the person doing the packaging). And
then, would filing a bug report help to make this process smoother?
I.e., right now, if someone were interested in helping you by updating
one of your packages to a new upstream release, it would be necessary to
look at your QA page, perhaps email you privately, etc.

By going the route of filing a bug, it makes it easier (I think) for
those who might be looking to contribute in this way (getting new
upstream versions in Debian), and it makes the communication much
easier. For example, if you know you want to skip a particular version,
you could notate that in the bug report. So, then someone wouldn't have
to ask, it would already be stated that you are waiting for some
specific reason.

Perhaps the way to look at it is that in the case where isn't directly
helpful to the maintainer (as in your specific case), it can be helpful
to those with a desire to collaborate in some way.

Regards,

-Roberto

--
Roberto C. S�nchez

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)