On Wed, Sep 17, 2014 at 01:50:36PM +0200, Emmanuel Bourg wrote:
> Le 17/09/2014 12:57, Moritz Muehlenhoff a écrit :
> 
> > That's not how we handle in Debian: If a library is shipped in Debian,
> > it is fully supported to be used by local libs. 
> > 
> > Anything in /usr/local or installed through Maven is of course the 
> > responsibility
> > of the user.
> > 
> > So we should go ahead with the removal of struts 1.2 by filing RC bugs 
> > against
> > the packages using it.
> 
> Well that's sad because this is really a waste of time and our resources
> are desperately limited :( libstruts1.2-java is not a security threat as
> used by the other Debian libraries and applications, and upstream even
> provided a patch for CVE-2014-0114 [1][2] despite the EOL. I'd rather
> spend this time on other important issues.

Would it help if I upload NMUs for libspring-java and easyconf?

Cheers,
        Moritz

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to