dkg and I had a discussion about this recently and he asked me to
summarize my understanding of it.
- WireGuard still prefers to operate on a rolling basis, with new
snapshots totally replacing old ones, with no stability, security, or
other long term guarantees.
- WireGuard probably won't be operating this way for too much longer,
since we plan to change how we do releases after mainline inclusion.
- In spite of the above formalism, dkg thinks that WireGuard has been
pretty stable for a while.
- There are a significant number of Debian stable users who use
WireGuard from the unstable repo, via priority pinning. This works,
but might lead to users inadvertently mixing and matching other
unstable and stable packages.
- The tools package makes use of getentropy() which is only in recent
versions of libc, making the current scheme problematic without a
patch.
As such, dkg suggested closing this bug to enact the following:
- Migration of package into testing, on a rolling basis.
- Backporting of package into stable-backports, on a rolling basis.
The long term plan, once testing becomes stable, will be to:
- Maintain oldstable-backports, on a rolling basis.
- Maintain stable-{backports,security}, on a rolling basis, depending
on dkg's security judgement. [*]
- Maintain unstable, on a rolling basis.
The short term plan is:
- Maintain unstable, on a rolling basis.
- Maintain stable-backports, on a rolling basis.
[*] This is based on dkg's security judgement, not upstream's, since
at the time of writing, upstream _only_ operates on a snapshot rolling
basis and considers every new snapshot to be critical, and explicitly
notes that the project is not at the moment assigning CVEs, and so
downstream decisions should be made with this stability & security
anti-guarantee in mind.
I find the above plan complex and the general notion of shipping
outdated snapshots to users, ever, is not something I'm overly
comfortable with. However, if dkg feels he can operate the above
machinery on a basis that's "near-rolling", then I'll follow his
judgement, provided awareness of [*] stays in tact. There are, indeed,
general packaging consistency advantages of closing this bug; however,
these will be need to be weighed against the other considerations as
well.
