Bug#1029566: transition: shibboleth-sp

To: Ferenc Wágner <wferi@niif.hu>
Cc: Ferenc Wágner <wferi@debian.org>, 1029566@bugs.debian.org
Subject: Bug#1029566: transition: shibboleth-sp
From: Sebastian Ramacher <sramacher@debian.org>
Date: Sun, 29 Jan 2023 23:01:43 +0100
Message-id: <[🔎] Y9bsx8m1MzQpRLNe@ramacher.at>
Reply-to: Sebastian Ramacher <sramacher@debian.org>, 1029566@bugs.debian.org
In-reply-to: <[🔎] 87ilgp9gka.fsf@fin.soreny>
References: <[🔎] 167457705652.436705.575664555865480225.reportbug@fin.soreny> <[🔎] Y9WmW13z10Lx3kBI@ramacher.at> <[🔎] 87ilgp9gka.fsf@fin.soreny> <[🔎] 167457705652.436705.575664555865480225.reportbug@fin.soreny>

Control: tags -1 confirmed

On 2023-01-29 22:28:05 +0100, Ferenc Wágner wrote:
> control: tags -1 - moreinfo
> 
> Sebastian Ramacher <sramacher@debian.org> writes:
> 
> > On 2023-01-24 17:17:36 +0100, Ferenc Wágner wrote:
> >
> >> Package: release.debian.org
> >> Severity: normal
> >> User: release.debian.org@packages.debian.org
> >> Usertags: transition
> >> 
> >> When reporting #1028286 (transition: xml-security-c) I totally missed
> >> that one of the mentioned planned upper layer uploads is the
> >> shibboleth-sp 3.3 -> 3.4 upgrade, which, contrary to the xml-security-c
> >> transition, actually entails an SONAME change.  Since this wasn't
> >> explicit in the original bug, we decided to ask for your ACK again.
> >> As you can see in the autogenerated tracker at
> >> https://release.debian.org/transitions/html/auto-shibboleth-sp.html,
> >> there are only two reverse dependencies, both of which are internal to
> >> the Shibboleth ecosystem (thus maintained by us) and both build without
> >> changes against shibboleth-sp 3.4.1+dfsg-1.
> >
> > What would be the consequences of postponing this transition to trixie?
> 
> There are no significant functional changes in this transition.  Our
> main reason for proposing it is to ship bookworm with the "current
> stable release" as much as possible, because upstream provides security
> support for the latest two stable releases only [1], and Shibboleth,
> being security software, heavily depends on being patched in a timely
> manner to stay useful.  While upstream actively works with us on
> preparing updates during the embargo periods, this may not be enough if
> we have to backport the fixes ourselves, so we strive to minimize such
> exposure.  Since this transition affects only two packages, which we
> need to rebuild anyway, we'd welcome the additional safety this upgrade
> would mean in providing security support for bookworm.

ACK, please go ahead.

Cheers

> 
> [1] https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/1134625008/ProductVersioning
> -- 
> Best regards,
> Feri.

-- 
Sebastian Ramacher

Reply to:

Follow-Ups:
- Bug#1029566: transition: shibboleth-sp
  - From: Ferenc Wágner <wferi@niif.hu>

References:
- Bug#1029566: transition: shibboleth-sp
  - From: Ferenc Wágner <wferi@debian.org>
- Bug#1029566: transition: shibboleth-sp
  - From: Sebastian Ramacher <sramacher@debian.org>
- Bug#1029566: transition: shibboleth-sp
  - From: Ferenc Wágner <wferi@niif.hu>

Prev by Date: Processed: Re: Bug#1029566: transition: shibboleth-sp
Next by Date: Bug#1029994: bullseye-pu: package phyx/1.01+ds-2+b1
Previous by thread: Bug#1029566: transition: shibboleth-sp
Next by thread: Bug#1029566: transition: shibboleth-sp
Index(es):
- Date
- Thread