Am 23.08.2018 um 15:55 schrieb Emmanuel Bourg: > On 23/08/2018 13:14, Markus Koschany wrote: >> Apparently upstream doesn't consider this "to be their problem". Since >> simple-xml has no reverse-dependencies and the current uploader is MIA, >> I think we should consider requesting the removal of simple-xml. > > simple-xml is a dependency of carrotsearch-randomizedtesting. > > The fix should be trivial, it's just a matter of disabling external > entities parsing on the underlying XML parser. And maybe we've already > fixed the XML parser used by default.
My concern is that we have an upstream project that does not even consider such a trivial fix. Then we have another example of a fire-and-forget one time upload (simple-xml) and now the package is carried "by the team". carrotsearch-randomizedtesting is a test-dependency for lucence4.10 and spatial4j, same pattern, one time upload, now carried by the team. And when I see that we ship at least three versions of lucene in Debian, then I suppose we still have some room for improvements. The gist is: Better maintain few packages and do it well, instead of maintaining many packages that just exist for collecting RC bugs. Markus
signature.asc
Description: OpenPGP digital signature
