Control: retitle -1 transition: slurm-wlm Control: user -1 release.debian....@packages.debian.org Control: usertags -1 - unblock + transition Control: tags -1 confirmed
Hi Gennaro, Salvatore On 2023-01-25 21:40:31 +0100, Salvatore Bonaccorso wrote: > Hi Release Team, > > On Sat, Jan 21, 2023 at 07:39:09PM +0100, Gennaro Oliva wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian....@packages.debian.org > > Usertags: unblock > > X-Debbugs-Cc: t...@security.debian.org > > > > Please unblock package slurm-wlm > > > > This is the latest codebase for slurm-wlm > > > > [ Reason ] > > The version of slurm-wlm in bookworm (21.08) is too old. Upstream > > only guarantee patches for the current version and the previous. > > They release 1 major version every 9 months, latest was 22.05. > > This means that version 21.08 will be soon unsupported, making > > the security maintenance for the package problematic. > > > > [ Impact ] > > There is a soname bump, but few tools outside the package depends > > on libslurm. The most relevant is mpich that uses libslurm to > > spawn mpi processes using slurm. I built and tested mpich version > > against slurm 22.05.7-1 on x86_64 with no issues. > > > > [ Tests ] > > I did the usual tests with autopkgtest and with my personal setup. > > I did the autopkgtest also for mpich built against lislurm38. > > > > [ Risks ] > > slurm-wlm is auto-consistent and usually very stable. > > > > [ Checklist ] > > [x] all changes are documented in the d/changelog > > [x] I reviewed all changes and I approve them > > [x] attach debdiff against the package in testing > > > > [ Other info ] > > This version is out since may 2022. slurm-wlm is used in thousand of > > sites for production so this version is to be considered very mature. > > From security team perspective, we would support this approach if you > think this is still feasible for your and the current release > schedule, still knowing that the transition and toochain freeze is now > active. Feasible yes, but with the caveat that mpich is a key package. So if there are any issues with the transition, we'll ask for a revert. Gennaro, please go ahead. Cheers -- Sebastian Ramacher