From antoine at nagafix.co.uk  Mon Apr  7 16:29:33 2025
From: antoine at nagafix.co.uk (Antoine Martin)
Date: Mon, 7 Apr 2025 22:29:33 +0700
Subject: [winswitch] upcoming security notification mailing list for xpra
 projects
Message-ID: <04534a46-f18e-4146-baf7-288fed56b07c@nagafix.co.uk>

Hi,

To support the secure deployment of Xpra and aid downstream compliance 
with cybersecurity regulations (such as the Cyber Resilience Act, 
CIRCIA/CISA, etc.), we are setting up a restricted mailing list for 
advance notifications regarding security issues affecting any of the 
Xpra projects.

This includes the MS Windows and macOS builds, which bundle over a 
hundred third-party library dependencies. The SBOM (Software Bill of 
Materials) feature will help facilitate this effort.

At present, there are several known issues - some of which have not 
received adequate public attention. Some of these may still be assigned 
CVEs, and it is inevitable that new issues will be discovered over time.

Key points:
* the focus will be on currently supported versions (v5 and newer), 
though issues in older versions may also be reported.
* notifications will be sent within 48 hours of new discoveries, 
regardless of whether a mitigation is available.
* if applicable, a CVE will be requested around the same time.
* full disclosure of the issue will follow within 7 days.

If you would like to be added to this notification list, please send a 
request to: security at xpra.org.
This service is free and open to anyone, but please provide a brief 
justification for your inclusion. Ideally, the list will remain small to 
minimize the risk of leaks and abuse.

Cheers,
Antoine

From totaam at xpra.org  Thu Apr 10 09:05:24 2025
From: totaam at xpra.org (Antoine Martin)
Date: Thu, 10 Apr 2025 15:05:24 +0700
Subject: [winswitch] [ANNOUNCE] Xpra LTS+1 v5.1
Message-ID: <65276eaf-35e4-423b-bdb5-669a913fe442@xpra.org>

Hi,

As the new "+1" update from the v5.x LTS branch, v5.2 was meant to 
incorporate useful new features backported from the 6.x series.
Unfortunately, the code structure in v6.x has changed so much that most 
of the features originally scheduled for inclusion were too difficult 
and risky to apply:
https://github.com/Xpra-org/xpra/issues/3954
Perhaps, this can be attempted again for v5.2 if specific features are 
needed.
Apart from the self-contained "keycloak" authentication module, most 
other changes are regular bug fixes, as normally expected.

There are no critical fixes in this release. For more details, please see:
https://github.com/Xpra-org/xpra/releases/tag/v5.1

Downloads:
https://github.com/Xpra-org/xpra/wiki/Download
(the macOS arm64 builds are stuck and may take a while to land)

Cheers,
Antoine