Opened 3 months ago
Last modified 3 months ago
#2426 new defect
Nginx repository for debian doesn't have 1.22.1 deb for Buster
|Reported by:||Owned by:|
|uname -a:||Linux myhostname 4.19.0-22-amd64 #1 SMP Debian 4.19.260-1 (2022-09-29) x86_64 GNU/Linux|
nginx version: nginx/1.22.0
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1d 10 Sep 2019 (running with OpenSSL 1.1.1n 15 Mar 2022)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.22.0/debian/debuild-base/nginx-1.22.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'
Hi, nginx 1.22.1 (current stable) was released on 19-Oct-2022 and contains a fix for a CVE (https://nginx.org/en/CHANGES-1.22) but is not available to Debian Buster users.
nginx.org's package repository for Debian contains a build for Debian Bullseye, but not for Debian Buster. Since Debian Buster is still supported as a LTS release until June 30, 2024 (https://wiki.debian.org/LTS), please release a .deb file for buster for v1.22.1 (and all future releases until June 30, 2024).
This link should not 404 after the build is complete and released:
Change History (3)
comment:1 by , 3 months ago
comment:2 by , 3 months ago
Just in case, see #2178 for similar request about Debian 9.
comment:3 by , 3 months ago
Thank you for considering the request. Documentation regarding what support levels for distros you support would be a huge help – I apologize if it was under my nose and I couldn't find it. I will endeavor to upgrade to Debian 11 so I can take advantage of the CVE fixes.
The thing that tripped me up was that nginx 1.22.0 supports Buster, but 1.22.1 doesn't. In my experience in open source, patch-level releases do not change the support model for the release (but a minor- or major-level change could). It seems to me that patches (especially security patches!) should be built & released for all distros that had support at the beginning of that MINOR version. With this policy 1.22.x releases would continue to support Buster, but 1.23.x would drop support. Security patches are especially critical to get out to the broadest number of distros within reason. Was this model considered?
Thanks for the quick reply and for considering my request.
It's our policy to support distributions that are supported by their respective security and release teams, e.g. in a "main" phase of support. Which is obviously no longer the case for Debian 10.
Given the fact that this is at least a second time we have this inquiry, I'm going to document our policy on nginx.org somewhere.
Also, while it's too late to ressurect Debian 10 support, we are considering adding an exception to Debian 11 (and later versions), so we can allow LTS-based support to be good enough for us to support.