Remove support for nvidia-cuda-toolkit in buster
A package is being proposed for EOL (end-of-life) because it can no longer be supported adequately. Please fill in the information sections below.
Metadata
- package: nvidia-cuda-toolkit
- releases: buster
Current State
For more information read this discussion as well: https://lists.debian.org/debian-lts/2023/06/msg00032.html The package is closed-source and non-free.
It does not look like any other vendor maintain this package.
Obstacles Preventing Continued Support
The main obstacle of continued support is that upstream only maintain the most recent software and not earlier releases. The upstream 9.2.x series seems to be EOL. 10.1 (and later) are not binary compatible with 9.2. Fixes are only available in the latest upstream release. Since the software is closed source it is not possible to backport individual corrections.
The most important problem is CVE-2020-5991 since it can result in arbitrary code execution. CVE-2020-5991 is "ignored" but with the wrong motivation. There are a few other issues as well but they all require the user to read a crafted/malformed elf file. Those could be motivated a "postpone" or potentially "ignore".
Alternative Courses of Action
We could uplift to the latest release but that would then break a lot of things for the user. Cuda applications will not work without rebuilding and most likely need a patch as well.
Potential Impacts
Impacts of taking no action
Users may have an impression that there is security support while this is practice not possible.
Impacts of full EOL
In practice it is already EOL, so the impact is not that large. The obvious impact is that cuda applications should only be run on trusted data.
Impacts of alternative course(s) of action
Similar impact as when the customer have to upgrade to a later release, meaning quite heavy impact.
Additional impacts
There are also packages within debian that may be affected like phython3-pygpu. Have not checked all reverse dependencies since this do not matter that much and also there are very many packages to check.