Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hello release team, I try to citize from my mails to the security team:, it's about #982927: Yesterday I had a videocall with the owner and lead developer of OTOBO. They want to support me keeping the otrs2 source package in a good shape for Bullseye, so that users of the package dont have to worry now. Kicking the package out of Debian would not be optimal. They also showed me https://github.com/znuny/Znuny (https://www.znuny.com/) - they also forked OTRS CE 6 and fixing bugs and security bugs, also all known open bugs in CVE/Debian atm. So the plan would be now: * Switch the source of the otrs2 package to the znuny one, so that we have releases based on an open(source) maintained safe codebase => can I get the go from you for that? * otrs packaging at all is obsolete for bullseye+1. I will package otobo, also with otobo support, and we will work on a easy way so that users later can migrate from otrs to otobo We also spoke about the open security issues, there is indeed one in the CKEditor, but: #980891: They way otrs uses this library it should not be possible to attack the user, mostly only the attacker himself #982586: Thats a wrong information from the OTRS AG, because it does not affect otrs 6 CE. It depends on that you use an external interface, which is available in OTRS 7 and 8 (not free) and maybe in the not-free otrs 6 package via addon, but not in the community edition, which is also packaged in Debian. XXXXXX itself is not helpful at all anymore and just wrote me ************** I hope switching as fast as possible to the znuny fork for the otrs2 source package is also an option for you, I dont want to release bullseye without it ----- I just uploaded the otrs2 6.0.32 package to experimental. Could I have your ACK for bullseye? :-) -- System Information: Debian Release: 10.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-14-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled