NicolasFR
commented
1 year ago Hi, I'm not a Debian expert, but the Debian security tracker only mentions sid & trixie (current testing), so the other versions would be discontinued?
Open GreenReaper opened 1 year ago
NicolasFR
commented
1 year ago Hi, I'm not a Debian expert, but the Debian security tracker only mentions sid & trixie (current testing), so the other versions would be discontinued?
clokep
commented
1 year ago From reading the linked discussion it sounds like none of the Debian distributions provide an up-to-date Synapse and newer ones don't provide it at all.
GreenReaper
commented
1 year ago Technically it has been removed from all officially released versions, but it is still possible to install a current version from the testing/rolling version, which is also the future release in mid-2025, trixie, as well as outdated versions from the "backports" repositories for older releases (but not the current release, bookworm, from a few months ago).
Work looks to being done on Debian's synapse repo (it just got updated to 1.91.2) and so it may be that a bookworm-backports version will be available in the future (to users who have manually enabled that optional repo), but it is not available in the default release and presumably won't be for two years.
andrewshadura
commented
1 year ago The reason Synapse is not in bookworm is not these CVEs. It’s the absence of support for older releases from the upstream, and the lack of people who have time and skills to backport fixes.
As I described in the relevant bug comment, I asked to not include the package in bookworm because given my other commitments, I cannot guarantee I would be able to backport security fixes to older releases myself alone. I asked the Synapse developers whether they can commit to helping me with that, and they didn’t say yes (although haven’t refused either). I did what was the responsible thing for me to do.
I’d also like to note that the synapse package was never in bullseye or bookworm stable release, it’s always been distributed in unstable/testing and backports only. I’ll try to maintain at least that as far as I can.
It is true I don’t have much time to update the package, so updates are less frequent than in the past, but hopefully other people join (there is at least one other person who’s shown interest).
clokep
commented
1 year ago I’d also like to note that the synapse package was never in bullseye or bookworm stable release, it’s always been distributed in unstable/testing and backports only. I’ll try to maintain at least that as far as I can.
It sounds like the docs could still use a bit of an update then as it right now sounds like it is available in stable sid & bookworm.
Synapse was removed from Debian bookworm at the end of May on the grounds that this project could not guarantee code reviews of CVE backports. There are also open security issues in sid, although it technically remains installable there.
The documentation offering Debian's own repo as an installation option as "maintained" is therefore out of date and should be updated, perhaps merging it with the Ubuntu section below until the situation changes.
(I think this situation is unfortunate because installing an additional repo is a hurdle to usage, and 1.78 could still have been a reasonable support target, but this issue is just about updating the documentation.)