Bug#989406: wireguard-dkms makes little sense with the bullseye kernel
Control: severity 989406 normal Control: retitle 989406 wireguard-dkms is unneeded for stock kernels > 5.6 I'm downgrading the severity to keep wireguard-dkms in bullseye -- we can increase it again once bullseye is released to keep wireguard-dkms out of bookworm. Adrian or others, if you would prefer that we handle this differently, please give a bit more detail about the timeline you'd prefer and why. Regards, --dkg signature.asc Description: PGP signature
Bug#989406: wireguard-dkms makes little sense with the bullseye kernel
Could you close this bug or downgrade its severity, or do whatever it takes so that this *isn't* removed from bullseye? Removing this package from the bullseye release would cause large problems.
Bug#989406: wireguard-dkms makes little sense with the bullseye kernel
On Thu 2021-06-03 01:37:25 +0300, Adrian Bunk wrote: > Overall it feels like a package with high CVE risk and 0 users > in bullseye. I agree with Jason that some people may use non-standard, older kernels with bullseye, so there is some value in continuing to provide wireguard-dkms in bullseye to help those folks. (i'm thinking about people running older hardware that has had support dropped in newer kernels, for example). It is not going to be exactly 0 users, but i expect the number to be small. At the same time, a package with a small number of users presents a smaller attack surface if a CVE does come up. The stock kernels already avoid people accidentally pulling in wireguard-dkms by default if they just "apt install wireguard". At some point, though, people who choose to run their own (non-debian) kernel will need to effectively take responsibility for their kernel modules as well, so i do not expect Debian to continue shipping wireguard-dkms indefinitely. I do not expect to ship it in bookworm (bullseye+1), for example. --dkg
Bug#989406: wireguard-dkms makes little sense with the bullseye kernel
Package: wireguard-dkms Severity: serious The only kernel shipped in bullseye is 5.10, and dkms.conf already inhits building the module for it. There is not much benefit shipping a package that cannot do anything useful in the release in question. Running the buster kernel at least temporarily is possible, but in that case the user already has to have the package installed for any benefit. For using wireguard in buster today, the buster-backports kernel would anyway the best solution. Overall it feels like a package with high CVE risk and 0 users in bullseye.
