#946412 janus-gateway: upstream does not support stable releases

Package:
src:janus
Source:
janus
Submitter:
Jonas Smedegaard
Date:
2021-12-14 09:18:02 UTC
Severity:
important
Tags:
#946412#5
Date:
2019-12-08 13:09:10 UTC
From:
To:
Upstream releases are to be considered draft snapshots,
and this package is therefore unsuitable for inclusion
in long-term distributions like Debian stable.

This bug should be bumped to release-critical state
close to or after entering freeze -
but not before so as to ease use for users tracking testing
including derivatives based on Debian testing.

 - Jonas
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl3s9fMACgkQLHwxRsGg
ASGvjA/8CRZ0Edug2xfXO0fdY84m9NazG24GXo5KtAsKefgUtKSJkBaIT0eyajDg
fFpMNQ14F1oJIc7ngFtfUQ05R2xBN/+H8cnOq51zoh6WARdXYtM1UE8SojFYM95p
ft9WcEmlcBX3K3tmHQT+aVjxvqRkyyaL22JPzQO/E+0xeQm+NU1w8zr4SX9dxPdl
GDG9w/d1EhP9iEV/kZdcVVphiEt8KqUKdgLLA17/l53nXOXPIU2PXbL3PpLSj/PP
TpfZdPr85Ry6PnS9n5CWx9TvbCG9LjptdfTnL/qVdY3QAMCgw+zLkL1zISkMOo4P
BclXe4iPdthQC8wwE7OYNyCAVHOvbkQqSB6ybMK44uJe10IY2wzwt+nry/1dljhR
hZYXRBmJT85UGL9/e+7EKh7J4vACRwtdOomD25iH8jXc9mg48buzlzSZojxypA14
LPjhiCB5UDdNSGFCS+Hq82UcB7CgJrsL0DNVLfJxs4RCklMmkos8OBQUwWYG3lcA
yTUxEnJ48lpGJ4dxo9/pV520GWutHtYzsLXOr6zV2/9qNp+4OpAOAoPfXQeKsjY4
3oa0i+/ogKy9Kbzvi1Vw/kw2a+JRMyVbvGeN7pA86Or8tcG56qA+E5s8myoHHpNZ
TQ2HbHvU8drVdvu+Et3kJhV1IJmw5VMSjYleJuGPACIp1HTDS88=
=k5KT
-----END PGP SIGNATURE-----

#946412#14
Date:
2020-06-11 20:54:43 UTC
From:
To:
Hi Jonas,

Reading the above, so janus should not have been in buster, right?

As such it might be a good option to ask for removal of src:janus in
buster. If you agree on that, can you fill a bug for the
release-team/SRM to ask for removal of the package in the next buster
point release?

Regards,
Salvatore

#946412#19
Date:
2020-06-12 06:53:35 UTC
From:
To:
Quoting Salvatore Bonaccorso (2020-06-11 22:54:43)
In an ideal World (where crystal balls or time machines exist), yes.

Both filing this bugreport and the upstream statement triggering it
occured _after_ the release of Buster, indicating lack of knowledge on
the matter at the time of release of Buster (or, in bad faith, that it
was known but kept secret - sure you cannot mean that).

Yes, removal from Buster should be done.

Sorry, I am not familiar with the procedures to do that, and appreciate
your suggestion: Do I simply file a bugreport against ftp.debian.org as
with removals from unstable/experimental, or which different runes
should I throw?

Kind regards,

 - Jonas

#946412#24
Date:
2020-06-12 06:57:29 UTC
From:
To:
Quoting Jonas Smedegaard (2020-06-12 08:53:35)
  reportbug release.debian.org


 - Jonas

#946412#31
Date:
2020-06-12 08:20:31 UTC
From:
To:
Don't read things into this which don't exist :-)

The only question here was whether janus should continue to be in stable
or not, noone is accusing you of anything.

For this simply do "reportbug release.debian.org" and pick the "rm"
option. The removal (if agreeds by stable release managers), then happens
by the next point release.

Cheers,
        Moritz

#946412#36
Date:
2020-06-12 08:29:06 UTC
From:
To:
Quoting Moritz Muehlenhoff (2020-06-12 10:20:31)

Thanks for confirmation :-)

Yes, I figured that out (and tried communicate that shortly after I
posted the above - sorry if that update didn't reach you), and should
now have initiated the procedure with bug#962694.


Thanks,

 - Jonas

#946412#41
Date:
2020-06-12 18:56:01 UTC
From:
To:
Hi Jonas,

Sorry I think there was a missunderstanding here, I by no means
implied bad faith or that at the time of the buster release it was
known. I probably wrote the above too short to make it clear. Let me
expand a bit.

While I was filling bug for the new CVEs reported for janus I stumpled
over #946412 and that made me think to reply there and raise the
question on the removal of janus from buster. What I actually wanted
to ask with the above is "should janus be removed from buster as
ideally it would not have been released with it" but not implying the
situation was already clear at that time.

Sorry if that all was not clear in my wording.

Thanks for filling the removal, taken note of #962694.

Regards,
Salvatore

#946412#46
Date:
2020-06-12 18:57:26 UTC
From:
To:
Hi

yes excacltly, that was my intention. Thanks Moritz for wording that
in better way as I did.

Regards,
Salvatore

#946412#51
Date:
2020-06-12 19:10:56 UTC
From:
To:
Quoting Salvatore Bonaccorso (2020-06-12 20:56:01)

Thanks for clarifying.  All makes sense.

I realize that our conversation could've been even smoother if I had
just _silently_ assumed good faith, instead of nitpicking.  Sorry for
that, I've learned from this.


 - Jonas

#946412#56
Date:
2021-04-22 12:45:08 UTC
From:
To:
Quoting Jonas Smedegaard (2019-12-08 14:09:10)

As noted above, janus is unsuitable for long-term manitained stable
release, and should therefore be dropped from bullseye now it is frozen.

 - Jonas

#946412#63
Date:
2021-04-22 13:05:31 UTC
From:
To:
Hi,

I added a removal hint.

Given that you state that it's not suitable for a stable release, it shouldn't
be in testing either. I added a block hint to prevent it from coming back
after the release.

Cheers,

Ivo

#946412#68
Date:
2021-12-05 20:44:40 UTC
From:
To:
Quoting Jonas Smedegaard (2021-04-22 14:45:08)
stable releases despite upstream lack of official support for that.
Januss codebase is at least as stable if not more than a lot of other
code that we ship with Debian stable, uncoordinated from upstream
maintenance promises.


 - Jonas