Hi Libreswan devs-- Thanks for your maintenance work defending against CVE-2022-23094!
In particular, as the debian maintainer, i appreciate the attention to older versions that some stable distros are still shipping. (debian's stable release 11 ships libreswan 4.3) But as noted in https://github.com/libreswan/libreswan/pull/613, the patch released for 4.2 and 4.3 didn't apply safely (caused a build failure). Not a huge deal, and a relatively obvious fix in this case, but i do wonder whether it would make sense to issue point releases (e.g. 4.3.1) for those versions that you're willing to backport security fixes to? By making a point release, you have the opportunity to apply the full test suite against it pre-built packages with the patches applied to make sure the patches work. I find git useful when managing this kind of approach. I've pushed an example branch named branch-4.3 to https://github.com/dkg/libreswan to demonstrate one way that it could be handled. Obviously, as an external maintainer, i'm not in a position make a 4.3.1 release on behalf of the project. And I've already sent the necessary patch to the debian security team so that debian stable should be fixed shortly. So for this round i don't need it. But if future vulnerabilities are discovered that apply to 4.3, and narrowly-targeted fixes are made available, i'd actually prefer to push upstream 4.3.x into debian stable. I'd prefer that because i'd be happier knowing that the upstream build/test machinery was run against the particular combination of patches we ship, rather than manually applying specific patches and hoping that i've landed on the expected variant. Alternately (or in addition?), i could try to replicate the upstream testing practices on the debian testing infrastructure, but I haven't figured out how to get debian's testing infrastructure to run all the complicated kvm- or docker-based stuff that i think y'all use upstream. What do y'all think? --dkg
signature.asc
Description: PGP signature
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
