Ubuntu
botan1.10 package

RM: will become EOL upstream in December, not in testing

Bug #1760263 reported by Simon Quigley
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
botan1.10 (Debian)
Fix Released
Unknown
botan1.10 (Ubuntu)
Invalid
Medium
Ubuntu Package Archive Administrators
Ubuntu ubuntu-18.03
monotone (Ubuntu)
Invalid
Medium
Ubuntu Package Archive Administrators
Ubuntu ubuntu-18.03
ovito (Ubuntu)
Invalid
Medium
Ubuntu Package Archive Administrators
Ubuntu ubuntu-18.03

Bug Description

Please remove botan1.10 and all packages marked as affected on this bug. From the Debian bug (connected to this bug):

"Upstream has announced that security support for botan1.10 will end
latest December 2018. Given the small number of rdepends it might be
wise to get botan1.10 out of testing."

Also:

"1. monotone is dead (last upstream release 2011), we shouldn’t keep zombies in Debian

2. ovito is leaf package and ranked very low in popcon"

It would be unwise to ship this in the LTS.

$ reverse-depends src:botan1.10
Reverse-Depends
===============
* monotone (for libbotan-1.10-1)
* ovito [amd64 i386 ppc64el s390x] (for libbotan-1.10-1)

Packages without architectures listed are reverse-dependencies in: amd64, arm64, armhf, i386, ppc64el, s390x
$ reverse-depends -b src:botan1.10
Reverse-Build-Depends
=====================
* monotone (for libbotan1.10-dev)
* ovito (for libbotan1.10-dev)

$ seeded-in-ubuntu botan1.10
botan1.10's binaries are not seeded.

-----------------------------------

$ reverse-depends src:monotone
Reverse-Recommends
==================
* bugs-everywhere (for monotone)
* ikiwiki (for monotone)
* monotone-viz (for monotone)

Reverse-Depends
===============
* qct (for monotone)

Packages without architectures listed are reverse-dependencies in: amd64, arm64, armhf, i386, ppc64el, s390x
$ reverse-depends -b src:monotone
Reverse-Build-Depends-Indep
===========================
* bugs-everywhere (for monotone)

$ seeded-in-ubuntu monotone
monotone's binaries are not seeded.

-----------------------------------

$ reverse-depends src:ovito
Reverse-Recommends
==================
* science-viewing (for ovito)

Packages without architectures listed are reverse-dependencies in: amd64, arm64, armhf, i386, ppc64el, s390x
$ reverse-depends -b src:ovito
No reverse dependencies found
$ seeded-in-ubuntu ovito
ovito's binaries are not seeded.

Revision history for this message
Simon Quigley (tsimonq2) wrote :

RM (RoM) bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889675

Changed in botan1.10 (Ubuntu):
importance: Undecided → Medium
Changed in monotone (Ubuntu):
importance: Undecided → Medium
Changed in ovito (Ubuntu):
importance: Undecided → Medium
Changed in botan1.10 (Ubuntu):
status: New → Confirmed
Changed in monotone (Ubuntu):
status: New → Confirmed
Changed in ovito (Ubuntu):
status: New → Confirmed
Changed in botan1.10 (Ubuntu):
assignee: nobody → Ubuntu Package Archive Administrators (ubuntu-archive)
Changed in monotone (Ubuntu):
assignee: nobody → Ubuntu Package Archive Administrators (ubuntu-archive)
Changed in ovito (Ubuntu):
assignee: nobody → Ubuntu Package Archive Administrators (ubuntu-archive)
Changed in botan1.10 (Ubuntu):
milestone: none → ubuntu-18.03
Changed in monotone (Ubuntu):
milestone: none → ubuntu-18.03
Changed in ovito (Ubuntu):
milestone: none → ubuntu-18.03
Bug Watch Updater (bug-watch-updater)
Changed in botan1.10 (Debian):
status: Unknown → New
Revision history for this message
Steve Langasek (vorlon) wrote :

It appears there has been precisely one security SRU of botan1.10 ever, in Ubuntu 14.04. So what difference does a lack of upstream security support make to the releasability of this package in 18.04?

Changed in botan1.10 (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Simon Quigley (tsimonq2) wrote :

> It appears there has been precisely one security SRU of botan1.10 ever, in Ubuntu 14.04. So what difference does a lack of upstream security support make to the releasability of this package in 18.04?

I think there's a difference between lack of human resources to do these updates versus updates that can be done. I personally see it to be unwise to ship a package in an LTS which will be deprecated by the end of the year and is only used by leaf packages and already EOL software.

Revision history for this message
Steve Langasek (vorlon) wrote :

I don't agree that it makes any difference to the actual security of the end user, if the upstream security fixes exist but no one cares enough about the package to include them in SRUs.

https://people.canonical.com/~ubuntu-security/cve/pkg/botan1.10.html shows 6 unfixed CVEs against botan1.10 in Ubuntu 16.04.

All of these are of medium priority, so it's not necessarily an indictment that there *haven't* been security updates for these. Still, I find the rationale for dropping these packages from the release to be rather weak.

 - monotone, ovito, and botan1.10 all successfully build from source (as of the last test rebuild in Ubuntu - there are FTBFS bugs filed in Debian however?)
 - monotone and ovito are user-facing applications which, while they may not have a broad userbase, don't appear to have any direct replacement in the archive.
 - neither the monotone nor the ovito package have in principle done anything wrong by not switching to botan2, which only became available in sid and Ubuntu on March 17.
 - the CVE history of botan1.10 suggests that having botan 1.10 vs. botan 2 in bionic is unlikely to have any impact on the security support received by the end user.
 - none of these packages have yet been removed from Debian (though they have been removed from Debian testing).

If these packages had been removed from Debian, I would follow that removal without question. But removal from testing is not by itself enough of a reason to remove from Ubuntu, IMHO.

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Understood.

I therefore withdraw this removal request.

Changed in botan1.10 (Ubuntu):
status: Incomplete → Won't Fix
Changed in monotone (Ubuntu):
status: Confirmed → Invalid
Changed in botan1.10 (Ubuntu):
status: Won't Fix → Invalid
Changed in ovito (Ubuntu):
status: Confirmed → Invalid
Bug Watch Updater (bug-watch-updater)
Changed in botan1.10 (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.