Am 26.09.20 um 10:27 schrieb Emmanuel Bourg: > On 25/09/2020 13:50, Markus Koschany wrote: > >> Why did you upgrade hibernate-validator to version 5.x when >> no other package in Debian requires it? Wouldn't it have been >> simpler to revert the upgrade instead of creating a separate >> hibernate-validator4 package? > > The version 5.x is a prerequisite to upgrade Spring to the next major > release. Also the version 4.x is no longer supported and security issues > are frequently reported. The idea is to use libhibernate-validator4-java > as a transitional package until all reverse dependencies are updated to > use the version 5.x.
That sounds like a sensible reason to upgrade a package. Though when I look closer into the details I find only four reported security vulnerabilities in the past six years. The last two in 2019 and 2020 did only affect the 5.x and later versions specifically which is rather an argument against upgrading hibernate-validator. So the real reason for 5.x is to upgrade Spring which is also fine. However the update has not materialized so far but in the meantime pdfsam was broken in two Ubuntu releases and unstable. I would recommend to upload such a package to experimental first or release it to unstable when the complete work is done. I believe this all could have been avoided if you had outlined your goals beforehand or if you had responded to this bug report in time. Then we both could actually seek for a solution to make this work. The current situation is a bit demotivating though because I don't want to guess why something is broken and I don't want to invest time to clean up the fallout when the key problem is communication. I will switch pdfsam to use libhibernator-validator4-java now but I can only address this problem when libsejda-commons-java has been approved by the ftp team. This may take a while. Markus
signature.asc
Description: OpenPGP digital signature