Hi Sebastian, On Mon, May 26, 2025 at 10:54:43PM +0200, Sebastian Ramacher wrote: > Control: tags -1 moreinfo > > On 2025-05-24 22:52:03 +0100, Samuel Henrique wrote: > > Package: release.debian.org > > Control: affects -1 + src:curl > > X-Debbugs-Cc: c...@packages.debian.org > > User: release.debian....@packages.debian.org > > Usertags: unblock > > Severity: normal > > > > Please unblock package curl > > > > [ Reason ] > > > > curl 8.14.0 contains refactored code which will make it harder to maintain > > 8.13.0 (patch backporting complexity), for this reason, I would like to ship > > 8.14.0 in trixie. > > > > We (the curl maintainers) have been fixing every curl CVE for stable and > > oldstable since a few years. I'm afraid that shipping 8.13.0 will make it > > more > > difficult to keep doing that due to the refactors in 8.14.0. > > Security, what's your take on this?
First I can defintively confirm that the curl maintainers are tracking well all the CVEs, while most were not warranting a DSA they got fixed in subsequent point releases: https://security-tracker.debian.org/tracker/source-package/curl shows the result nicely. While I have not explicitly looked at the refactoring mentioned in 8.13.0 -> 8.14.0 I have to trust Samuel judgment here that they may have an impat on backporting fixes (which holds then as well though as argument that backporting fixes to bookworm/oldstable will become more difficult). If the curl maintainers are confident that 8.14.0 is in a good shape for trixie, then I would suggest to follow their take to ship trixie with 8.14.0. But again that said, I can only comment on how I observe their work with respect of fixing security issues in stable, which is a good track record. Regards, Salvatore
