Hi, On Fri, Aug 24, 2018 at 01:18:09AM +0200, Emmanuel Bourg wrote: > On 23/08/2018 17:11, Markus Koschany wrote: > > > My concern is that we have an upstream project that does not even > > consider such a trivial fix. Then we have another example of a > > fire-and-forget one time upload (simple-xml) and now the package is > > carried "by the team". carrotsearch-randomizedtesting is a > > test-dependency for lucence4.10 and spatial4j, same pattern, one time > > upload, now carried by the team. And when I see that we ship at least > > three versions of lucene in Debian, then I suppose we still have some > > room for improvements. > > lucene2 is only used by eclipse, I hope we'll be able to remove both of > them before Buster is released. With the new eclipse-* packages heading > to unstable this is now a likely outcome. > > > > The gist is: Better maintain few packages and do it well, instead of > > maintaining many packages that just exist for collecting RC bugs. > > I agree. Not all CVEs are equally important though, here simple-xml is > just a test dependency of another package and has a very low popcon, the > vulnerability has no real impact on the Debian users.
It is possible to remove the test-dependency (probably by disabling the tests)? That way simple-xml could be removed from buster. Even if we don't do this for buster, it might be good to do this for bullseye anyway, if the package isn't really maintained. Thanks, Ivo __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
