On Sunday, April 14, 2019 06:08:28 PM Dmitry Shachnev wrote: > Package: python-gdata > Version: 2.0.18+dfsg1-2 > Severity: serious > Tags: buster sid > > I am uploader of python-gdata and my intention is that it should not be > part of Debian Buster release. > > There are two main reasons for it: > > 1) It does not actually work anymore: Google has shut down most of gdata > API backends [1]. Some of them like the YouTube data API continue to work > as per deprecation policy, but will most likely be shutdown during Buster > lifetime. > > 2) It is insecure: it bundles an ancient version of tlslite, which > has known vulnerabilities: at least CVE-2014-3566, CVE-2013-0169 and > CVE-2011-3389. Newer version of tlslite has been removed from Debian > in 2014, so I cannot even unbundle it. > > I have filed bugs for all reverse dependencies in May 2018. At the moment > of writing this all reverse dependencies have been removed from Buster. > > I am also going to get it removed from Sid later. > > [1]: https://developers.google.com/gdata/docs/directory
Sounds like a great plan. I'd suggest starting now with removals/updates for the rdepends from Sid. If it's going to go away, the sooner the better. Scott K _______________________________________________ Python-modules-team mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
