Hi Andrej, On Fri, May 26, 2023 at 08:51:13PM +0200, Andrej Shadura wrote: > Hi, > > On Fri, 26 May 2023, at 19:28, Salvatore Bonaccorso wrote: > > I believe matrix-synapse is still in the same status as for #982991 > > back for the bullseye release, and not suitable to be included in > > bookworm as stable release. > > In fact, I believe the situation has changed. Synapse it much more > stable, as is the Matrix protocol itself, and there weren’t that > many security issues.
For reference for the discussion: So there were at least the following CVEs I think since the removal (maybe more, this is just rought checking based on the CVE years): https://security-tracker.debian.org/tracker/CVE-2023-32323 https://security-tracker.debian.org/tracker/CVE-2022-41952 https://security-tracker.debian.org/tracker/CVE-2022-39374 https://security-tracker.debian.org/tracker/CVE-2022-39335 https://security-tracker.debian.org/tracker/CVE-2022-31152 https://security-tracker.debian.org/tracker/CVE-2022-31052 > > As such let it have removed from bookworm if you agree. If this is not > > correct, we need to have assurance security fixes arising during the > > bookworm cycle can be addressed. > > I believe I will be able to backport fixes — or ask for removal > later if and when the need arises. For the above CVEs, would have the fixes be isolated and backportable enough to guarantee that? If so and you are confident you will be able to backport the fixes, then please go ahead with closing this bug. Personally I just would like to avoid we release bookworm with it, and after while we have already to go trought the removal request from stable. Regards, Salvatore
