Hi Noah, [disclaimer, not part of the release team, but asking the questions with security-teams view on this request]
On Mon, Mar 31, 2025 at 10:16:34AM -0400, Noah Meyerhans wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: dove...@packages.debian.org > Control: affects -1 + src:dovecot > > Hi release team. I opened a transition request for dovecot a couple of weeks > ago, but figure it might be ignored at the moment given the state of the > freeze [1]. Apologies for the redundancy. > > I'd very much like to include dovecot 2.4.1 with the trixie release. The > version currently in testing is basically the same version as what's in > bookworm and is barely supported upstream as it is. Supporting it for the > full lifetime of trixie will be challenging. > > The earlier transition was opened because dovecot upstream releases impact > dovecot-dev, which is a build-dep of dovecot-fts-xapian and dovecot-antispam. > The former simply needs a binNMU, as it fully supports 2.4.1 today. The > dovecot-antispam package, on the other hand, hasn't seen any commits to the > upstream git repository since 2017 and hasn't seen any maintainer activity in > Debian since 2018. It does not support dovecot 2.4, and IMO we should not > ship it with trixie. [2] > > Note that the 32-bit build issues described in the transition request have > been fully resolved, and dovecot builds on all release architectures. > > Risks associated with updating include: > > * dovecot 2.4 is a major upgrade and was released early this year after > several years of upstream development. There is certainly the potential to > introduce new bugs. > * dovecot 2.4 introduces configuration file syntax changes that will cause > pain for admins during the upgrade process. > > Responses to these risks: > > * dovecot 2.4 will be supported by upstream for a longer period of time than > the 2.3 branch. They've already made one bug fix release (2.4.1, the > subject of this request) and will make more as needed. > * 2.3 is mature, but also not receiving signifant attention upstream. I > expect that we'd generally be on our own supporting this package during the > trixie lifetime > * The pain associated with the config file changes is unlikely to be mitigated > by avoiding this transition. We'd just be putting it off. There are no > plans to develop an automated configuration translation tool. > > The proposed version is currently in experimental as 1:2.4.1+dfsg1-1~exp1 [3]. > Prior to that, 2.4.0 had several revisions in experimental where various bugs > were identified and squashed. > > The complete debdiff is at > https://people.debian.org/~noahm/dovecot_2.4.1+dfsg1-1~exp1.debdiff > > The debian/changelog diff between testing and experimental is attached. Do you have any upstream statement how they will handle the 2.3.y series after their 2.4 release? Do they plan to still backport CVE fixes for the 2.3 series or is it considered officially end of life? It so we might better of moving to 2.4 for the trixie lifecycle but I understand there are major changes impacting users. Ultimately I guess the question is how confident you are that 2.4 can be made ready in time now during the freeze for any potential fallouts, reports, bugs from users? Sorry that are not very specific questions. Regards, Salvatore
