Hi Adam, hi Marc,
Let me try to explain the goal here as it it might get the impression
Adam got confused on seeing this request for the first time.
On Tue, Jan 07, 2025 at 09:58:16AM +0000, Adam D. Barratt wrote:
On Tue, 2025-01-07 at 10:35 +0100, Marc Leeman wrote:
I'm part of the team that releases the Debian packages of GStreamer
into Debian. Sebastian had a discussion about a number of stability
and security issues in the GStreamer 1.22.0 version that is currently
in stable.
The agreement with Salvatore was to upload the latest oldstable
release (1.22.12 at the time of writing) to address many of these.
At the moment, all the packages have been prepared in the respective
salsa repositories [1] in the branches `pristine-tar`,
`debian/bookworm` and `upstream-bookworrm [2].
I am new to the process of uploading new stable releases, so looking
into [3], the packages have the version `1.22.12-0+deb12u1` and
`bookworm` in the changelog
I'm afraid I'm a little confused here.
Salvatore is a member of the Security Team, not the Release Team. The Security Team are obviously free to agree to whatever updates they feel
are appropriate via the security archive, but if you want to update
packages in stable you need to agree that with the Release Team. So far
as I'm aware, this is the first time the suggestion has been raised
with us.
As you referenced the relevant section of DevRef, if the request here
is to update the packages via p-u then please file one release.d.o bug
per source package including all the requested information.
Let me explain a bit how we come here with a request from Marc. While
we were preparing the DSAs for gst-plugins-base1.0 (DSA-5831-1),
gstreamer1.0 (DSA-5832-1) and gst-plugins-good1.0 (DSA-5838-1), the
last one with a relative big set of commits to address the CVEs, I got
in contact with Sebastian, who is both involved in Debian maintenance
but more importantly for this case as well upstream. He pointed out to
us that the 1.22.x series are actually intended to carry those CVE
fixes *and* important bugfixes. The prepared uploads were still good
enough and important to get out that we opted to not respin all but in
that discussion we agreed that it might be a good idea to approach
you, release team and stable release managers to consider doing rbases
to those stable versions for the 1.22.y series in a point release.
Sebastian approached Marc if he is interested to prepare this work.
So this mail serves as proposal for doing so in one of the next point
releases (the next one is too late). We (with my security team hat on)
would strongly support taht we se switch to those following the 1.22.y
branch for the point releases and for upcoming Gstreamer related
security fixes.
In fact the DSA-5838-1 had one backported patch which on top of the
source is correct, but if we would have rebased the version in 1.22.y
we would have fixed as well an bug (not a regression!) in the av1
parser. Notably the version in bookworm misses
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/6d2bc8b8cd6ca8d5ea0f82145a6d52235fdcd631
(again we do not regress here as the issue was present before, but it
ould have been a nice side effect to fix it as well).
Adam does that gives you enough background information on this
request? It was not meant as: hey the security team say we can rebase,
and "bypass" the repsonability of the release team.
Let know please if you need any further information from Marc or
Sebastian on specific 1.22.y questions.
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)