Hi Andrej,

I believe matrix-synapse is still in the same status as for #982991
back for the bullseye release, and not suitable to be included in
bookworm as stable release.

As such let it have removed from bookworm if you agree. If this is not
correct, we need to have assurance security fixes arising during the
bookworm cycle can be addressed.

Regards,
Salvatore

Hi,

In fact, I believe the situation has changed. Synapse it much more stable, as is the Matrix protocol itself, and there weren’t that many security issues.

I believe I will be able to backport fixes — or ask for removal later if and when the need arises.

Hi Andrej,
CVEs I think since the removal (maybe more, this is just rought
checking based on the CVE years):

https://security-tracker.debian.org/tracker/CVE-2023-32323
https://security-tracker.debian.org/tracker/CVE-2022-41952
https://security-tracker.debian.org/tracker/CVE-2022-39374
https://security-tracker.debian.org/tracker/CVE-2022-39335
https://security-tracker.debian.org/tracker/CVE-2022-31152
https://security-tracker.debian.org/tracker/CVE-2022-31052

For the above CVEs, would have the fixes be isolated and backportable
enough to guarantee that? If so and you are confident you will be able
to backport the fixes, then please go ahead with closing this bug.

Personally I just would like to avoid we release bookworm with it, and
after while we have already to go trought the removal request from
stable.

Regards,
Salvatore

Hi

For those following the bugreport:

Andrej checking on the above. If it's deemed feasible we will give it
a go.

Ideally though we should remove id now before the release if it's
unfeasable to maintain, because otheweise there are higher
expectations if it's in the initial release.

A removal needs to be requested directly as respective bug to the
release team, as autoremovals will likely not trigger right now for
this case.

Andrej, do yu have already some information?

Regards,
Salvatore

Hi Andrej,

Did you got already a reply from upstream?

As discussed face to face, if we start shipping with it in bookworm
but relatively early would need to remove it, the impact is higher,
because people already starting to rely on it.

Thus beeing unsure, I would err on the safe sid. Clarify it early in
the trixie release cycle with upstream and potentially target trixie
for inclusion.

The removal from testing would need to happen before the quiet phase
starts in some days.

What do you think?

Regards,
Salvatore

Hi Salvatore,

I talked to them, they said they’d not backport patches themselves. I asked if they could help with code reviews etc and there was no answer so far (but yesterday was a bank holiday in the UK).

Rethinking how much I can realistically spend on it given my commitments outside Debian, I’m not sure I want to take up another one.

Let’s keep Synapse out for now.

Does the re-opening of this issue mean that matrix-synapse will be
removed from trixie before release?

Yes, since it’s a release-critical bug.

I can confirm that there are easy ways to run Synapse on Debian
stable.  Specifically, I use an ultra-lightweight Debian unstable
"chroot" inside a Debian stable system.

I'm sure you could also go for a more standard Docker/Podman
Debian unstable container, and just install Synapse in that.
I just wanted to avoid installing more software I wasn't going
to use.

If you want more details, I can explain how I'm doing it.

Best,
Antonio Russo

In FreedomBox, for users who want to use Matrix Synapse, we have been
setting up backports repository and allowing Matrix Synapse to be
installed from backports. (BTW, for people wanting Matrix Synapse on
stable, with A/V call setup with Coturn, federation setup with
certificates from Let's Encrypt, automatic upgrades, handling
configuration file upgrades, distribution upgrades, and other
conveniences, FreedomBox is a good choice). This backports setup has
worked well for us for several stable releases now. Many thanks to
maintainers for being thoughtful with this scenario and matrix packaging
in general.