Package: debian-security-support Severity: normal X-Debbugs-Cc: Debian Security Team <[email protected]>, [email protected]
I propose to mark hdf5 as limited support in Debian 11 (bullseye). # Package Description Hierarchical Data Format 5 (HDF5) is a file format and library for storing scientific data. HDF5 was designed and implemented to address the deficiencies of HDF4.x. It has a more powerful and flexible data model, supports files larger than 2 GB, and supports parallel I/O. # Obstacles Preventing Continued Support Upstream does not seem to support security updates of older releases. There are tags of the 1.10 series in bullseye up to 1.10.11 but they contain a lot of changes all over the place, like reformatting, adding new functionality and behavior changes. So uploading a new upstream version seems too risky. On the other hand the upstream git has no clear commits of the security patches. They are often committed in bulk and then partly reverted due to regressions and later committed again, probably due to other commits in between fixing the regressions. There is https://github.com/HDFGroup/cve_hdf5.git which allows easy testing of the CVEs and I tried cherry-picking some commits but it resulted in different tests failing. # Proposed entry for security-support.deb11 hdf5 limited Not covered by security support, only suitable for trusted content, see -1
