Control: severity -1 important

El 19/05/25 a las 22:26, Bastian Blank escribi�:

Source: isc-dhcp
Version: 4.4.3-P1-7
Severity: serious
X-Debbugs-Cc: [email protected]

isc-dhcp is EOL and marked as not security supported. It should not be released with trixie.

See
https://lists.isc.org/pipermail/dhcp-users/2022-October/022786.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035972

Bastian

While I consider that users of isc-dhcp-{client,server} should migrate
to alternative implementation, I think it is too late now to ask for the removal of isc-dhcp, being so close to release trixie.

It is to note that, TTBOMK, there is currently no substitute for isc-dhcp-relay.

https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#deprecated-components
reads:

"The security team will support the isc-dhcp package during the bookworm lifetime, but the package will likely be unsupported in the next stable release, see bug #1035972 (isc-dhcp EOL'ed) for more details."

That doesn't mean that it will be remove in trixie.

debian-security-support/trixie already reflects the above.


The severity of this bug could be risen again after the release. Or the release team could also tag it ignore-trixie.

Cheers,

-- S

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCaC9nOwAKCRAn3j1FEEiG 7zJ+AQCvqrJGuTzqNH2Wrmjej8SVPuQ/yV9bQgHEof0gzcwEigD+LkzW7k3pAbjU 4HMOV6z947z+cs2i+59TzlOYFpRfZA8=
=Mqb+
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-05-22 20:46:34 +0200, Sebastian Ramacher wrote:

Control: severity -1 serious

On 2025-05-22 15:04:43 -0300, Santiago Ruano Rincón wrote:

Control: severity -1 important

El 19/05/25 a las 22:26, Bastian Blank escribió:

Source: isc-dhcp
Version: 4.4.3-P1-7
Severity: serious
X-Debbugs-Cc: [email protected]

isc-dhcp is EOL and marked as not security supported. It should not be released with trixie.

See
https://lists.isc.org/pipermail/dhcp-users/2022-October/022786.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035972

Bastian

While I consider that users of isc-dhcp-{client,server} should migrate
to alternative implementation, I think it is too late now to ask for the removal of isc-dhcp, being so close to release trixie.

It is to note that, TTBOMK, there is currently no substitute for isc-dhcp-relay.

https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#deprecated-components
reads:

"The security team will support the isc-dhcp package during the bookworm lifetime, but the package will likely be unsupported in the next stable release, see bug #1035972 (isc-dhcp EOL'ed) for more details."

That doesn't mean that it will be remove in trixie.

It's dead. Except for fai-quickstart all reverse dependencies have MRs.

Okay, only libguestfs has a MR. But still …

I am all for getting it removed.

Cheers
--
Sebastian Ramacher

--
Sebastian Ramacher

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, May 22, 2025 at 03:04:43PM -0300, Santiago Ruano Rincón wrote:

While I consider that users of isc-dhcp-{client,server} should migrate
to alternative implementation,

What is the alternative implementation for isc-dhcp-relay?

Greetings
Marc

-- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, May 23, 2025 at 10:37:11AM +0200, Chris Hofstaedtler wrote:

On Thu, May 22, 2025 at 09:37:05PM +0200, Marc Haber wrote:

On Thu, May 22, 2025 at 03:04:43PM -0300, Santiago Ruano Rincón wrote:

While I consider that users of isc-dhcp-{client,server} should migrate
to alternative implementation,

What is the alternative implementation for isc-dhcp-relay?

dnsmasq appears to have an DHCP relay implementation. I have not
tried it.

I think that we (Debian) should be able to give an answer to those
questions before pulling ISC DHCP.

Greetings
Marc

-- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

El 22/05/25 a las 20:34, Bastian Blank escribi�:

On Thu, May 22, 2025 at 03:04:43PM -0300, Santiago Ruano Rinc�n wrote:

"The security team will support the isc-dhcp package during the bookworm lifetime, but the package will likely be unsupported in the next stable release, see bug #1035972 (isc-dhcp EOL'ed) for more details."
That doesn't mean that it will be remove in trixie.

So you will support this package?

Support in which terms? As mentioned already, it won't have security
support: https://salsa.debian.org/debian/debian-security-support/-/blob/c6f47cb42decabe13f064c8ab0aba75dd5be9b1c/security-support.deb13#L23

There are non-security bugs to be fixed, yes. But users cannot expect
security issues to be fixed.

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCaDCNrQAKCRAn3j1FEEiG 7yGrAPwKDAZnXaumHAF++jIa2/yS2GvHQsHJ2YclXevcBkbaAAEA7+CJcm7G4K1q NvzXu4KyiqJtPB4BjRRvJX1LXAR1lA8=
=kLCt
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am Tue, Jun 03, 2025 at 09:44:42AM +0200 schrieb Sebastian Ramacher:

Hi

On 2025-06-02 00:25:41 +0200, Lorenzo wrote:

On Thu, 22 May 2025 20:46:34 +0200 Sebastian Ramacher <[email protected]> wrote:

Control: severity -1 serious

Hi Sebastian,

I'm a bit surprised about the timing of the removal, is this the final
call about the severity from Release Team?

Bug severity and removal are two different topics. But unless the
security team re-evaluated their position on support for isc-dhcp, this
is a bug of serious severity. Security team, has your viewpoint on
isc-dhcp changed?

We marked it as unsupported a long time ago, but whether this means
that it not should not be part of trixie is an orthogonal question.
We have other packages in trixie and earlier releases which are not
covered by security support (e.g. qtwebkit/qtwebengine).

Anyone using it can make their own call what the lack of security
support means for their deployment, there's certainly some use cases
where a lack of security updates is still perfectly fine.

Any for anyone who this isn't, there's the possibility to move from
ISC DHCP to Kea within bookworm given it ships both.

From my PoV this could also be handled by
- tag #1106121 trixie-ignore
- maybe add a specific note to the release notes to make the lack
of updates more visible than just src:debian-security-support
- update the package to just build the DHCP relay shortly after
trixie is released (to avoid having the same discussion two months
before the forky release). And remove it for good when a replacement
has emerged for the DHCP relay.

Cheers,
Moritz

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: [email protected] (Thomas Lange)
To: [email protected] (Debian Security Team)
To: [email protected] (debian-release)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------5Nn5kIBz0E486BQVviAK2cIi
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

Q29udHJvbDogY2xvbmUgLTEgLTINCkNvbnRyb2w6IHJlYXNzaWduIC0yIHJlbGVhc2Utbm90 ZXMNCkNvbnRyb2w6IHRhZ3MgLTEgdHJpeGllLWlnbm9yZQ0KDQpIaSwNCg0KT24gU3VuLCA4 IEp1biAyMDI1IDEzOjUxOjA1ICswMjAwID0/VVRGLTg/UT9Nb3JpdHpfTT1DMz1CQ2hsZW5o b2ZmPz0gDQo8am1tQGludXRpbC5vcmc+IHdyb3RlOg0KPiBGcm9tIG15IFBvViB0aGlzIGNv dWxkIGFsc28gYmUgaGFuZGxlZCBieQ0KPiAtIHRhZyAjMTEwNjEyMSB0cml4aWUtaWdub3Jl DQo+IC0gbWF5YmUgYWRkIGEgc3BlY2lmaWMgbm90ZSB0byB0aGUgcmVsZWFzZSBub3RlcyB0 byBtYWtlIHRoZSBsYWNrDQo+ICAgb2YgdXBkYXRlcyBtb3JlIHZpc2libGUgdGhhbiBqdXN0 IHNyYzpkZWJpYW4tc2VjdXJpdHktc3VwcG9ydA0KPiAtIHVwZGF0ZSB0aGUgcGFja2FnZSB0 byBqdXN0IGJ1aWxkIHRoZSBESENQIHJlbGF5IHNob3J0bHkgYWZ0ZXINCj4gICB0cml4aWUg aXMgcmVsZWFzZWQgKHRvIGF2b2lkIGhhdmluZyB0aGUgc2FtZSBkaXNjdXNzaW9uIHR3byBt b250aHMNCj4gICBiZWZvcmUgdGhlIGZvcmt5IHJlbGVhc2UpLiBBbmQgcmVtb3ZlIGl0IGZv ciBnb29kIHdoZW4gYSByZXBsYWNlbWVudA0KPiAgIGhhcyBlbWVyZ2VkIGZvciB0aGUgREhD UCByZWxheS4NCg0KSSBhZ3JlZSB3aXRoIGFsbCB0aHJlZSBwb2ludC4gVGhlIHByZXZpb3Vz IFJlbGVhc2UgTm90ZXMgYWxzbyBjb3ZlcmVkIGl0IA0KWzFdIGFuZCBhbHJlYWR5IHByZWRp Y3RlZCBpdCB3b3VsZCBiZSB1bnN1cHBvcnRlZCBzZWN1cml0eSB3aXNlLCBzbyANCnBlb3Bs ZSBoYXZlIGJlZW4gd2FybmVkLiA8c2FyY2FzbT5Tb21laG93IEkgaGF2ZSB0aGUgZmVlbGlu ZyBub3QgDQpldmVyeWJvZHkgcmVhZHMgYW5kIHJlbWVtYmVycyB0aGUgUmVsZWFzZSBOb3Rl cy48L3NhcmNhc20+DQoNClBhdWwNCg0KWzFdIA0KaHR0cHM6Ly93d3cuZGViaWFuLm9yZy9y ZWxlYXNlcy9zdGFibGUvYW1kNjQvcmVsZWFzZS1ub3Rlcy9jaC1pbmZvcm1hdGlvbi5lbi5o dG1sI2RlcHJlY2F0ZWQtY29tcG9uZW50cw0K

--------------5Nn5kIBz0E486BQVviAK2cIi--

-----BEGIN PGP SIGNATURE-----

wsC7BAABCABvBYJoTWNuCRCcXJnrBb11CkcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmekHVZOSFkAEStpz574qCxV/HolJZPe7ltFd/4tI8SI 8hYhBFi2bUhza+k7BS3mcpxcmesFvXUKAADcrAf/TS63xLREfpmtkJdphjKikZnZ TwddkUynRjJrhBjx36USPp3atlcl2FGFP1eir+FZ94J124xDgQ2ChLHpp8r3+H7s dQh+t04hI7dkYnsQQfqYBPOb8NKO/ZfqwnbwZA7MfQc/HcRezT5XtDV8siYD4xM2 /XsIpOHleI9DQluTWXoN6XX7zoUhcwEVg2KcgKhP0hweln87xsAQpGPMjv+hBwx8 CTFk7v9tja8T+r04S5LWnxPvzB/tTjSktOWpdRny6MHlJUSbzYcZe7t1rmYGKhSI hNyyAwDjs/wKlzJw6jVHyR8cLJNk2Gw3kqhI9IHJJ86gWJAWpy3XhNoEui6Cpw==
=SP4/
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Lorenzo et al.,

On Mon, Jun 02, 2025 at 12:25:41AM +0200, Lorenzo wrote:

What is the default replacement for the client? and for the server?
I looked at the discussion on -devel and I'm still unsure..
dhcpcd-base + dhcpcd and kea?
without this info I'm not able to decide what to do for runit-services;
there are 3 services for isc-*, two in bookworm, and none for
alternatives so I guess it will be a regression for runit users.

I don't think runit-services needs to do anything except remove at
leisure the service definitions for packages that have already been
removed from the archive?

A service directory for the server replacements would be nice instead of fallback to initscript of course. Personally I'm not using the
replacements so don't have one to contribute yet.

And I wouldn't expect new clients to get added unless they have service definitions for other init systems, as ifupdown etc. are the way to use
them generally - hence the disablement of the dhclient service directory previously.

Overall I think it would work better if the removal is done at the
beginning of the forky cycle. A release note could help pushing users towards alternatives and leave us a proper time to test the new
defaults. Could you reconsider?

I'm glad this seems to have been the decision lower down the thread.

Personally I will miss both the server and the client. I don't like the
way the replacement client (so far as I am aware) combines IPv4 and IPv6 behaviour when they are mostly independent concerns.

Andrew

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)