Package: src:matrix-synapse Severity: normal Tags: upstream X-Debbugs-Cc: Dan Callahan <d...@element.io>, t...@security.debian.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 As has been discussed with the upstream and the security team, it’s best to not include Synapse in stable releases just yet. It was originally included in Buster, but as freeze happened just a few months before the release of 1.0, Buster ended up with a version missing important code updates and it had to be removed when backporting security fixes was proven to be infeasible (see #959723). Dan Callahan of Element writes: > Unfortunately, I expect an even greater rate of code churn and security > fixes throughout 2021, and my team does not currently have the capacity > to assist with backporting fixes, nor to maintain a long-lived stable > branch. I've mentioned my concerns to the package maintainer, but I'm > concerned that he may be overly optimistic and we'll find ourselves > repeating the pain of removing matrix-synapse from a Debian release. > Shipping software with known vulnerabilities in stable harms users > and places their servers at risk. Pulling a package from the archive > inconveniences users, creates work for the release managers, and reflects > poorly on the packaged software. The security team also agreed and pointed out #959723 was something that shouldn’t be repeated. This bug will be raised in severity to "serious" when Bullseye freezes completely, which will likely to happen in April. Before that, keeping it at a lower severity should enable backports to Buster. - -- Cheers, Andrej -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCYC2DLQAKCRDoRGtKyMdy YcE0AP40cBSFlfN5Jygc1uRWvLpVzMWMtcTZ1s5n3XoFEkn+UAD/fwmeoBZtuKrU VK7FZkaSaX3nL7XvVWEhWrGAG+5j9wE= =jPGI -----END PGP SIGNATURE-----
