Upstream releases are to be considered draft snapshots, and this package is therefore unsuitable for inclusion in long-term distributions like Debian stable. This bug should be bumped to release-critical state close to or after entering freeze - but not before so as to ease use for users tracking testing including derivatives based on Debian testing. - Jonas -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl3s9fMACgkQLHwxRsGg ASGvjA/8CRZ0Edug2xfXO0fdY84m9NazG24GXo5KtAsKefgUtKSJkBaIT0eyajDg fFpMNQ14F1oJIc7ngFtfUQ05R2xBN/+H8cnOq51zoh6WARdXYtM1UE8SojFYM95p ft9WcEmlcBX3K3tmHQT+aVjxvqRkyyaL22JPzQO/E+0xeQm+NU1w8zr4SX9dxPdl GDG9w/d1EhP9iEV/kZdcVVphiEt8KqUKdgLLA17/l53nXOXPIU2PXbL3PpLSj/PP TpfZdPr85Ry6PnS9n5CWx9TvbCG9LjptdfTnL/qVdY3QAMCgw+zLkL1zISkMOo4P BclXe4iPdthQC8wwE7OYNyCAVHOvbkQqSB6ybMK44uJe10IY2wzwt+nry/1dljhR hZYXRBmJT85UGL9/e+7EKh7J4vACRwtdOomD25iH8jXc9mg48buzlzSZojxypA14 LPjhiCB5UDdNSGFCS+Hq82UcB7CgJrsL0DNVLfJxs4RCklMmkos8OBQUwWYG3lcA yTUxEnJ48lpGJ4dxo9/pV520GWutHtYzsLXOr6zV2/9qNp+4OpAOAoPfXQeKsjY4 3oa0i+/ogKy9Kbzvi1Vw/kw2a+JRMyVbvGeN7pA86Or8tcG56qA+E5s8myoHHpNZ TQ2HbHvU8drVdvu+Et3kJhV1IJmw5VMSjYleJuGPACIp1HTDS88= =k5KT -----END PGP SIGNATURE-----
Hi Jonas, Reading the above, so janus should not have been in buster, right? As such it might be a good option to ask for removal of src:janus in buster. If you agree on that, can you fill a bug for the release-team/SRM to ask for removal of the package in the next buster point release? Regards, Salvatore
Quoting Salvatore Bonaccorso (2020-06-11 22:54:43) In an ideal World (where crystal balls or time machines exist), yes. Both filing this bugreport and the upstream statement triggering it occured _after_ the release of Buster, indicating lack of knowledge on the matter at the time of release of Buster (or, in bad faith, that it was known but kept secret - sure you cannot mean that). Yes, removal from Buster should be done. Sorry, I am not familiar with the procedures to do that, and appreciate your suggestion: Do I simply file a bugreport against ftp.debian.org as with removals from unstable/experimental, or which different runes should I throw? Kind regards, - Jonas
Quoting Jonas Smedegaard (2020-06-12 08:53:35) reportbug release.debian.org - Jonas
Don't read things into this which don't exist :-)
The only question here was whether janus should continue to be in stable
or not, noone is accusing you of anything.
For this simply do "reportbug release.debian.org" and pick the "rm"
option. The removal (if agreeds by stable release managers), then happens
by the next point release.
Cheers,
Moritz
Quoting Moritz Muehlenhoff (2020-06-12 10:20:31) Thanks for confirmation :-) Yes, I figured that out (and tried communicate that shortly after I posted the above - sorry if that update didn't reach you), and should now have initiated the procedure with bug#962694. Thanks, - Jonas
Hi Jonas, Sorry I think there was a missunderstanding here, I by no means implied bad faith or that at the time of the buster release it was known. I probably wrote the above too short to make it clear. Let me expand a bit. While I was filling bug for the new CVEs reported for janus I stumpled over #946412 and that made me think to reply there and raise the question on the removal of janus from buster. What I actually wanted to ask with the above is "should janus be removed from buster as ideally it would not have been released with it" but not implying the situation was already clear at that time. Sorry if that all was not clear in my wording. Thanks for filling the removal, taken note of #962694. Regards, Salvatore
Hi yes excacltly, that was my intention. Thanks Moritz for wording that in better way as I did. Regards, Salvatore
Quoting Salvatore Bonaccorso (2020-06-12 20:56:01) Thanks for clarifying. All makes sense. I realize that our conversation could've been even smoother if I had just _silently_ assumed good faith, instead of nitpicking. Sorry for that, I've learned from this. - Jonas
Quoting Jonas Smedegaard (2019-12-08 14:09:10) As noted above, janus is unsuitable for long-term manitained stable release, and should therefore be dropped from bullseye now it is frozen. - Jonas
Hi, I added a removal hint. Given that you state that it's not suitable for a stable release, it shouldn't be in testing either. I added a block hint to prevent it from coming back after the release. Cheers, Ivo
Quoting Jonas Smedegaard (2021-04-22 14:45:08) stable releases despite upstream lack of official support for that. Januss codebase is at least as stable if not more than a lot of other code that we ship with Debian stable, uncoordinated from upstream maintenance promises. - Jonas