Hi! In Tails we're shipping systemd/stretch-backports. We will freeze our code base (and the APT repositories we use) on Jan 18 for our next major release, so in the current state of things we would ship 239-12~bpo9+1, which is vulnerable to these 3 vulnerabilities. So I've started researching our options and I'm wondering:
What's your plan wrt. stretch-backports? I realize that with the serious regressions brought by v240 — that I see upstream and you are quickly fixing, woohoo! — you might want to let v240 mature a bit longer in testing/sid before backporting, so I would understand if you're reluctant to upload 240-4 to stretch-backports as soon as it migrates to testing. But maybe you plan to upload 239-12~bpo9+2 with the fixes backported? FWIW, on the Tails side I'll build a custom backport of 240-4 and will run it through the Tails integration test suite, because we have other incentives to upgrade (getting the fixes for https://github.com/systemd/systemd/issues/9461) and I'd rather do this upgrade now in a controlled, relaxed way, than at the last minute before our freeze (if v240 is uploaded to stretch-backports on Jan 17-18). Thanks a *lot* for your amazing work on the systemd package! Cheers, -- intrigeri
