Bug#1028286: marked as done (transition: xml-security-c)
Your message dated Tue, 10 Jan 2023 11:25:05 +0100
with message-id <Y709AQt1prDEvUEg@ramacher.at>
and subject line Re: Bug#1028286: transition: xml-security-c
has caused the Debian Bug report #1028286,
regarding transition: xml-security-c
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1028286: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028286
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: transition
Dear Release Team,
In a recent message [1] Shibboleth upstream strongly recommended
building xml-security-c without Xalan support to reduce the attack
surface of Shibboleth installations, because Xalan is dead upstream and
pulling it in carries a considerable risk. The Shibboleth stack is the
only consumer of the xml-security-c library in Debian, so we'd like to
follow upstream's recommendation. This means flipping a configure
switch, which removes some features (and a dependency) of the library,
but does not change the library SONAME. The resulting new library
version is usable as-is by the upper layers of Shibboleth stack, which
does not use the dropped functionality, so this wouldn't be a transition
in that sense, but we (the Shibboleth packaging team) still wanted to
run this by you. We don't expect any fallout, xml-security-c was built
without Xalan until version 2.0.2-2 without issues. Some maintenance
uploads of the upper layers were planned and will be done anyway.
[1] https://alioth-lists.debian.net/pipermail/pkg-shibboleth-devel/2023-January/005929.html
Unusable Ben file:
title = "xml-security-c";
is_affected = .depends ~ "libxml-security-c20" | .depends ~ "libxml-security-c20";
is_good = .depends ~ "libxml-security-c20";
is_bad = .depends ~ "libxml-security-c20";
--- End Message ---
--- Begin Message ---
Hi Ferenc
On 2023-01-09 10:07:54 +0100, Ferenc Wágner wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: transition
>
> Dear Release Team,
>
> In a recent message [1] Shibboleth upstream strongly recommended
> building xml-security-c without Xalan support to reduce the attack
> surface of Shibboleth installations, because Xalan is dead upstream and
> pulling it in carries a considerable risk. The Shibboleth stack is the
> only consumer of the xml-security-c library in Debian, so we'd like to
> follow upstream's recommendation. This means flipping a configure
> switch, which removes some features (and a dependency) of the library,
> but does not change the library SONAME. The resulting new library
> version is usable as-is by the upper layers of Shibboleth stack, which
> does not use the dropped functionality, so this wouldn't be a transition
> in that sense, but we (the Shibboleth packaging team) still wanted to
> run this by you. We don't expect any fallout, xml-security-c was built
> without Xalan until version 2.0.2-2 without issues. Some maintenance
> uploads of the upper layers were planned and will be done anyway.
ACK. Let's do that.
As this does not need any involvment from the RT, I'm closing the
bug report.
Cheers
>
> [1] https://alioth-lists.debian.net/pipermail/pkg-shibboleth-devel/2023-January/005929.html
>
> Unusable Ben file:
>
> title = "xml-security-c";
> is_affected = .depends ~ "libxml-security-c20" | .depends ~ "libxml-security-c20";
> is_good = .depends ~ "libxml-security-c20";
> is_bad = .depends ~ "libxml-security-c20";
>
--
Sebastian Ramacher
--- End Message ---
Reply to: