Hi,
Santiago wrote:
> While I consider that users of isc-dhcp-{client,server} should migrate
> to alternative implementation, I think it is too late now to ask for
> the removal of isc-dhcp, being so close to release trixie.
I very much agree with the above.
Sebastian wrote:
> Except for fai-quickstart all reverse dependencies have MRs.
This is unfortunately, not correct. I don't have an MR for ikvswitch for
example. It may be not so hard to fix, but it's still annoying and
dangerous to have to rush it. This may lead to unforeseen bugs.
Thomas Lange wrote:
> isc-dhcp is the reference implementation of a DHCP server and still
> used by nearly 8000 users (see popcon), but the main replacement
> called kea has only around 180 installations.
Switching to Kea is really not strait forward. Its configuration file is
very different from isc-dhcpd. Same with dnsmasq: it's completely different.
At the end, it's IMO a decision that Santiago should be taking. He's the
only one that can have a clue if it's possible to support isc-dhcp for
security for even more time, and without support from upstream. And he
seems to be ok with the idea. So why not? It wouldn't be a first time
that Debian takes care of a package without upstream support.
Also, I don't think we'll be alone. I wouldn't be surprised, if major
other distros would also publish patches if there was a CVE, considering
the current number of users.
Cheers,
Thomas Goirand (zigo)
