Hi security team and Jetty package maintainers,
I'm the main developer of the Jetty Java HTTP Server. I have been contacted by a Nico Golde @ debian.org asking about the availability of a fix for a security vulnerability for the debian package of Jetty but that the maintainers had no time to fix it. http://securitytracker.com/alerts/2006/May/1016168.html I was totally unaware of any debian packages of Jetty and replied to Nico asking if I could be put in contact with the package maintainers. Nico then replied with attitude that I was wasting his time because I hadn't told him if a specific version was vulnerable (5.0.10 - which is not the packaged version). As I have no idea how these packages have been built or configured - I can't say if they are vulnerable or not I don't have any knowledge of how debian processes work nor if Nico was approaching us in any official capacity. I don't know if the debian Jetty packages are officially part of debian or not? I don't really appreciate being accused of wasting the time of others simply because they have taken my software and then can't be bothered to maintain it (I don't know if that is the case, but it is how it was represented by Nico). I have put the effort in to develop the package and to quickly respond to all security vulnerabilities that I have received. I don't see that I should be expected to provide the extra effort to help every distributor include those fixes, if they are not prepared to help me. However, if somebody without attitude who knows about debian wants to work with me, then I would be VERY please to help make non-vulnerable packages of Jetty available via debian. regards _______________________________________________ pkg-java-maintainers mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
