[Swan-dev] Consdiering maintenance releases?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jan 13 17:36:48 EET 2022

Hi Libreswan devs--

Thanks for your maintenance work defending against CVE-2022-23094!

In particular, as the debian maintainer, i appreciate the attention to
older versions that some stable distros are still shipping. (debian's
stable release 11 ships libreswan 4.3)

But as noted in https://github.com/libreswan/libreswan/pull/613, the
patch released for 4.2 and 4.3 didn't apply safely (caused a build
failure).  Not a huge deal, and a relatively obvious fix in this case,
but i do wonder whether it would make sense to issue point releases
(e.g. 4.3.1) for those versions that you're willing to backport security
fixes to?

By making a point release, you have the opportunity to apply the full
test suite against it pre-built packages with the patches applied to
make sure the patches work.

I find git useful when managing this kind of approach.  I've pushed an
example branch named branch-4.3 to https://github.com/dkg/libreswan to
demonstrate one way that it could be handled.

Obviously, as an external maintainer, i'm not in a position make a 4.3.1
release on behalf of the project.  And I've already sent the necessary
patch to the debian security team so that debian stable should be fixed
shortly. So for this round i don't need it.  But if future
vulnerabilities are discovered that apply to 4.3, and narrowly-targeted
fixes are made available, i'd actually prefer to push upstream 4.3.x
into debian stable.

I'd prefer that because i'd be happier knowing that the upstream
build/test machinery was run against the particular combination of
patches we ship, rather than manually applying specific patches and
hoping that i've landed on the expected variant.

Alternately (or in addition?), i could try to replicate the upstream
testing practices on the debian testing infrastructure, but I haven't
figured out how to get debian's testing infrastructure to run all the
complicated kvm- or docker-based stuff that i think y'all use upstream.

What do y'all think?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20220113/399b1373/attachment.sig>

More information about the Swan-dev mailing list