1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1108992: opendnssec: OpenDNSSEC is (almost) End-of-Life

    From =?utf-8?b?T25kxZllaiBTdXLDvQ==?=@21:1/5 to All on Wed Jul 9 09:20:01 2025
    Source: opendnssec
    Version: 1:2.1.12-2
    Severity: grave
    Justification: renders package unusable

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Hi,

    I am filling this as grave, but feel free to change the severity if you get an agreement from the security team.

    During the recent CENTR Jamboree 2025, NLNetLabs (upstream) announced that OpenDNSSEC is essentially dead and they plan to announce EOL later this year:

    https://nlnetlabs.nl/downloads/presentations/Nameshed-CENTR-Jamboree-20250522.pdf

    The question is whether it makes sense to release Trixie with a security software that's going to reach End-Of-Life shortly after Trixie release.

    Ondrej

    - -- System Information:
    Debian Release: 12.11
    APT prefers stable-updates
    APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates'), (500, 'stable'), (1, 'experimental')
    Architecture: amd64 (x86_64)
    Foreign Architectures: i386

    Kernel: Linux 6.1.0-37-amd64 (SMP w/12 CPU threads; PREEMPT)
    Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)

    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmhuFzxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u WcKEYQ//UhpywqE7iqbswGYQ27gAVqP6nxKyibUVj1CD8fpyt2jIcF8AvjlgxfEf tTGLCZDE/0idq5Ch/FmZ0nHYqiWt/RNRADYBOeAaAt5Km+dC5U74c8xQVhpQUfju tGhc5HxSovwryOqEMfPbhVgfvwGj/9/5667VRmB4dxJdvkH8jeqghnTY8cuvzjRZ UVxxred6+sPSAuQFPy3WYe6aYL4SOOFj1JurrjPy78XskcQucgYUewfNmlsK736Q JKqb7mG7KxJB9EZwCQTUYp8nLz4BfLrE6JdxRb67ADyc3Pm6WWOFkeAXAdr/X7G4 jETswOz6HPw6IAAuB3kcu7vE0QZAXU7LLttGOvLjs5OGRezKBaNqY15VSQyAVJFi ZaKw7QtWZEcihxEecg2g4rGpIgqxPXbTwINpkAA+Vp3N5hoFkuNMgux6BFz38pJg zqbhsh5ORDxM0ZYAJWWXMV3RBsUggCiYt6OHDaYRRewrSrH5+3MZJOnvgk1WamB2 iRq7sS8cbEoXfTUBqbuntdyHq7cRMz+vJb2Rt05FSIJ2FHzJXAYOzm4vrGnFvZAn Wg/9b2Aq/wQ4qk3hQuQtobSAbYC0HBCFIFd2EzszJAgANNyZ4yYjazW5kYwFA/0f wakPFIT8L1JPlYhkXXG/DWOcxek73WEb2zJ0D7H3SN9EuvwzwWo=
    =kftc
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon Josefsson@21:1/5 to Bastian Germann on Sat Jul 19 22:00:01 2025
    Bastian Germann <[email protected]> writes:

    All of the reverse dependencies should be okay when #1109389 is fixed.

    How do we stop the autoremoval from happening on 2025-08-22? The
    migration of golang-github-containers-ocicrypt from unstable to testing
    won't happen before then. Is this a situation where we should ask the
    release team (?) to migrate that package to testing earlier? Or should
    the RC severity of 1108992 be lowered? Or something else?

    /Simon

    -----BEGIN PGP SIGNATURE-----

    iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmh77DEUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFoq0aAQCpL5Y6CffX kSd6IIhEMhQS0D6iYfvCKCKdYDwMYsJTdwEAqlNfjGpIhjjzzPvggFbJIN599Zur 3Cx7pW3y2kmwbwk=
    =w0Or
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon Josefsson@21:1/5 to Chris Hofstaedtler on Wed Jul 23 12:30:01 2025
    Chris Hofstaedtler <[email protected]> writes:

    * Simon Josefsson <[email protected]> [250723 12:11]:
    Ah, right, although this bug would not necessarily have any activity
    since the real issue was golang-github-containers-ocicrypt but that is
    now fixed in testing. And the autoremoval was for 2025-08-22, not >>2025-07-22 which my summer heated brain incorrectly read it as...

    However if the intention to keep 'opendnssec' out of trixie, maybe this
    bug should be escalated into a removal request from the release team?

    The RM bug is #1109554.

    Great, all set then, and sorry for not being aware of progress here.

    /Simon

    -----BEGIN PGP SIGNATURE-----

    iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmiAtv4UHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFojzbAQDZKYPbXdCM QxdyU6vKB7oNZAmsKFwqtkZPRjxAZMTuqwEAv33UPiQhWR1hHq1mO8UTC626R+Dn 4QQVUO5ncdJGFQ8=
    =gQ4s
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Chris Hofstaedtler@21:1/5 to All on Wed Jul 23 12:20:01 2025
    * Simon Josefsson <[email protected]> [250723 12:11]:
    Ah, right, although this bug would not necessarily have any activity
    since the real issue was golang-github-containers-ocicrypt but that is
    now fixed in testing. And the autoremoval was for 2025-08-22, not
    2025-07-22 which my summer heated brain incorrectly read it as...

    However if the intention to keep 'opendnssec' out of trixie, maybe this
    bug should be escalated into a removal request from the release team?

    The RM bug is #1109554.

    Chris

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)