Your message dated Tue, 5 May 2020 08:43:27 +0100
with message-id
<CAGsaWmNH24iESCy_LLxZA9=92ZbLm3S-8mynGjeq4Tirf=-r...@mail.gmail.com>
and subject line Re: Bug#959685: security concerns for stable release
has caused the Debian Bug report #959685,
regarding security concerns for stable release
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
959685: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959685
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: kubernetes
Severity: serious
X-Debbugs-Cc: t...@security.debian.org
Hi the kubernetes maintainer,
Copying from kubernetes docs[1].
> The Kubernetes project maintains release branches for the most recent three
> minor releases.
> Minor releases occur approximately every 3 months, so each minor release
> branch is maintained for approximately 9 months
[1]
https://kubernetes.io/docs/setup/release/version-skew-policy/#supported-versions
So could you provide your plan to support kubernetes in Debian stable release,
thanks?
CCed the security team as well for their options.
--
Shengjing Zhu
--- End Message ---
--- Begin Message ---
Hi,
The overwhelming majority of software in Debian have no release policy, any
kind of governance to speak of or even a vague promise of support. Most of
us are still not opening 'serious' bugs against thousands of packages based
on our deep 'concerns' to sabotage them. This is primarily the Bug Tracking
System and not the Concern Tracking System. Kubernetes on the other hand
has a history of taking security problems seriously and fixing them
promptly.
In the past 5 years of the Kubernetes project there were some 14 security
bugs worthy of a CVE #. Based on the size of the project and the scrutiny
that it benefits from that is a pretty small number. Also, not all of those
bugs were very serious - some were. Not all of those bugs affected old
releases - some did. For some of them a mitigation was possible without
replacing binaries - not in all cases tough. At this point we are talking
about a fraction of a small number to start with. In the remaining cases we
can still backport the available patches ourselves if needs be or reach out
to the community if needed.
Also, since Kubernetes (and almost all Go programs) is essentially shipped
as a static binary, upgrading to a newer version simpler, as in it won't be
affecting all other packages installed. Obviously the actual process of
upgrading Kubernetes can be more involved, depending on the configuration
of an installation.
I'm closing this concern for now.
On Mon, 4 May 2020, 01:09 Shengjing Zhu, <z...@debian.org> wrote:
> Package: kubernetes
> Severity: serious
> X-Debbugs-Cc: t...@security.debian.org
>
> Hi the kubernetes maintainer,
>
> Copying from kubernetes docs[1].
> > The Kubernetes project maintains release branches for the most recent
> three minor releases.
> > Minor releases occur approximately every 3 months, so each minor release
> branch is maintained for approximately 9 months
>
> [1]
> https://kubernetes.io/docs/setup/release/version-skew-policy/#supported-versions
>
> So could you provide your plan to support kubernetes in Debian stable
> release, thanks?
> CCed the security team as well for their options.
>
> --
> Shengjing Zhu
>
--- End Message ---
