Hi Greg, > I have been contacted by a Nico Golde @ debian.org asking > about the availability of a fix for a security vulnerability for > the debian package of Jetty but that the maintainers had > no time to fix it. > > http://securitytracker.com/alerts/2006/May/1016168.html > > I was totally unaware of any debian packages of Jetty and replied > to Nico asking if I could be put in contact with the package > maintainers. > > Nico then replied with attitude that I was wasting his time > because I hadn't told him if a specific version was > vulnerable (5.0.10 - which is not the packaged version). > As I have no idea how these packages have been built or > configured - I can't say if they are vulnerable or not
Indeed, such checks should be done by the Debian maintainers and not by you. > I don't have any knowledge of how debian processes work > nor if Nico was approaching us in any official capacity. > I don't know if the debian Jetty packages are officially > part of debian or not? Jetty has entered Debian very recently and is not yet part of a stable Debian release, so there's not yet the need for full security support, only for ensuring all outstanding security bugs are fixes for the upcoming release and for addressing security problems in the development releases. Right now, Jetty depends on the non-free Java implementations, resulting it to be part of the "contrib" section in the archive. This means that although Jetty itself is free software, it is not a fully supported piece of software and does not receive security updates. However, since this will most likely change before the next Debian release (either with OpenJDK or by one of the other free Java runtimes), we will likely provide security support beginning with the release of Debian Lenny, expected in the fourth quarter of 2008. Once that has happened we're welcoming your help to ensure security support for Jetty. In general it is much appreciated if you provide information about security problems directly on your website, so that it's easier for users and distributors to track them, like e.g. http://httpd.apache.org/security/vulnerabilities_22.html Cheers, Moritz _______________________________________________ pkg-java-maintainers mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
