Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.bugs.dist > #1265278
| From | Holger Levsen <holger@layer-acht.org> |
|---|---|
| Newsgroups | linux.debian.bugs.dist |
| Subject | Bug#1117607: debian-security-support: Mark hdf5 with limited support |
| Date | 2025-10-08 20:00 +0200 |
| Message-ID | <LDGCd-3HU3-7@gated-at.bofh.it> (permalink) |
| References | <LDDO2-3G33-9@gated-at.bofh.it> <LDDO2-3G33-9@gated-at.bofh.it> |
| Organization | linux.* mail to news gateway |
[Multipart message — attachments visible in raw view] - view raw
Hi Jochen, thanks for your bug report! On Wed, Oct 08, 2025 at 04:50:14PM +0200, Jochen Sprickerhof wrote: > Package: debian-security-support > Severity: normal > X-Debbugs-Cc: Debian Security Team <team@security.debian.org>, hdf5@packages.debian.org > > I propose to mark hdf5 as limited support in Debian 11 (bullseye). bullseye is under the realm on the LTS team, thus cc:ing them with full quote. that said: hdf5 is also present in all our later suites, so why only bullseye, but not forkytrixiebookwormsid? > # Package Description > > Hierarchical Data Format 5 (HDF5) is a file format and library for > storing scientific data. HDF5 was designed and implemented to address > the deficiencies of HDF4.x. It has a more powerful and flexible data > model, supports files larger than 2 GB, and supports parallel I/O. > > # Obstacles Preventing Continued Support > > Upstream does not seem to support security updates of older releases. > There are tags of the 1.10 series in bullseye up to 1.10.11 but they > contain a lot of changes all over the place, like reformatting, adding > new functionality and behavior changes. So uploading a new upstream > version seems too risky. On the other hand the upstream git has no clear > commits of the security patches. They are often committed in bulk and > then partly reverted due to regressions and later committed again, > probably due to other commits in between fixing the regressions. There > is https://github.com/HDFGroup/cve_hdf5.git which allows easy testing of > the CVEs and I tried cherry-picking some commits but it resulted in > different tests failing. > > # Proposed entry for security-support.deb11 > > hdf5 limited Not covered by security support, only suitable for trusted content, see -1 -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ figures don't lie, but liars figure.
Back to linux.debian.bugs.dist | Previous | Next — Previous in thread | Next in thread | Find similar
Bug#1117607: debian-security-support: Mark hdf5 with limited support Jochen Sprickerhof <jspricke@debian.org> - 2025-10-08 17:00 +0200
Bug#1117607: debian-security-support: Mark hdf5 with limited support Holger Levsen <holger@layer-acht.org> - 2025-10-08 20:00 +0200
Bug#1117607: debian-security-support: Mark hdf5 with limited support Jochen Sprickerhof <jspricke@debian.org> - 2025-10-08 20:50 +0200
Bug#1117607: debian-security-support: Mark hdf5 with limited support Moritz Mühlenhoff <jmm@inutil.org> - 2025-10-08 23:20 +0200
Bug#1117607: debian-security-support: Mark hdf5 with limited support Holger Levsen <holger@layer-acht.org> - 2025-10-09 10:10 +0200
Bug#1117607: debian-security-support: Mark hdf5 with limited support Moritz Mühlenhoff <jmm@inutil.org> - 2025-10-09 20:50 +0200
Bug#1117607: debian-security-support: Mark hdf5 with limited support Holger Levsen <holger@layer-acht.org> - 2025-10-10 10:50 +0200
csiph-web