Bug#758516: Struts 1.2 should not be shipped with jessie

2014-11-20 Thread Emmanuel Bourg
libspring-java and easyconf have been patched in unstable and unblocked
for Jessie. I'll request the removal of Struts once they have migrated.

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.


Bug#758516: Struts 1.2 should not be shipped with jessie

2014-10-12 Thread Moritz Mühlenhoff
On Wed, Sep 17, 2014 at 01:50:36PM +0200, Emmanuel Bourg wrote:
 Le 17/09/2014 12:57, Moritz Muehlenhoff a écrit :
 
  That's not how we handle in Debian: If a library is shipped in Debian,
  it is fully supported to be used by local libs. 
  
  Anything in /usr/local or installed through Maven is of course the 
  responsibility
  of the user.
  
  So we should go ahead with the removal of struts 1.2 by filing RC bugs 
  against
  the packages using it.
 
 Well that's sad because this is really a waste of time and our resources
 are desperately limited :( libstruts1.2-java is not a security threat as
 used by the other Debian libraries and applications, and upstream even
 provided a patch for CVE-2014-0114 [1][2] despite the EOL. I'd rather
 spend this time on other important issues.

Would it help if I upload NMUs for libspring-java and easyconf?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.


Bug#758516: Struts 1.2 should not be shipped with jessie

2014-09-17 Thread Moritz Muehlenhoff
On Tue, Sep 16, 2014 at 12:12:03AM +0200, Emmanuel Bourg wrote:
 Le 15/09/2014 23:56, Moritz Mühlenhoff a écrit :
 
  Then it should be easy to remove?
 
 Actually it's easier to keep it, since a removal induces more work to
 update the reverse dependencies.
 
 
  Well, but if we keep old, unsupported libs around, people might be exposed
  by running code not shipped in Debian, but using these libraries.
 
 Sure but we are not responsible for such things. This library can be
 downloaded from other places like Maven Central, removing it won't
 change anything.

That's not how we handle in Debian: If a library is shipped in Debian,
it is fully supported to be used by local libs. 

Anything in /usr/local or installed through Maven is of course the 
responsibility
of the user.

So we should go ahead with the removal of struts 1.2 by filing RC bugs against
the packages using it.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.


Bug#758516: Struts 1.2 should not be shipped with jessie

2014-09-17 Thread Emmanuel Bourg
Le 17/09/2014 12:57, Moritz Muehlenhoff a écrit :

 That's not how we handle in Debian: If a library is shipped in Debian,
 it is fully supported to be used by local libs. 
 
 Anything in /usr/local or installed through Maven is of course the 
 responsibility
 of the user.
 
 So we should go ahead with the removal of struts 1.2 by filing RC bugs against
 the packages using it.

Well that's sad because this is really a waste of time and our resources
are desperately limited :( libstruts1.2-java is not a security threat as
used by the other Debian libraries and applications, and upstream even
provided a patch for CVE-2014-0114 [1][2] despite the EOL. I'd rather
spend this time on other important issues.

Emmanuel Bourg

[1] https://svn.apache.org/r1603882
[2] https://svn.apache.org/r1603883

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.


Bug#758516: Struts 1.2 should not be shipped with jessie

2014-09-15 Thread Moritz Mühlenhoff
On Fri, Sep 12, 2014 at 11:34:31PM +0200, Emmanuel Bourg wrote:
 Looking at the reverse dependencies of libstruts1.2-java, it seems it
 isn't much used. There are:
 - src:libspring-java, it builds libspring-web-struts-java which isn't used.
 - src:easyconf, it builds libeasyconf-java with a suggested dependency
 on libstruts1.2-java and it isn't used.

Then it should be easy to remove?
 
 In my opinion there is no harm keeping libstruts1.2-java in Jessie as a
 convenience for packaging other libraries, it's never executed as part
 of an application in the end (there is no Struts based web application
 in Debian).

Well, but if we keep old, unsupported libs around, people might be exposed
by running code not shipped in Debian, but using these libraries.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.


Bug#758516: Struts 1.2 should not be shipped with jessie

2014-09-15 Thread Emmanuel Bourg
Le 15/09/2014 23:56, Moritz Mühlenhoff a écrit :

 Then it should be easy to remove?

Actually it's easier to keep it, since a removal induces more work to
update the reverse dependencies.


 Well, but if we keep old, unsupported libs around, people might be exposed
 by running code not shipped in Debian, but using these libraries.

Sure but we are not responsible for such things. This library can be
downloaded from other places like Maven Central, removing it won't
change anything.

Emmanuel Bourg

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.


Bug#758516: Struts 1.2 should not be shipped with jessie

2014-09-12 Thread Emmanuel Bourg
Looking at the reverse dependencies of libstruts1.2-java, it seems it
isn't much used. There are:
- src:libspring-java, it builds libspring-web-struts-java which isn't used.
- src:easyconf, it builds libeasyconf-java with a suggested dependency
on libstruts1.2-java and it isn't used.

In my opinion there is no harm keeping libstruts1.2-java in Jessie as a
convenience for packaging other libraries, it's never executed as part
of an application in the end (there is no Struts based web application
in Debian).

Emmanuel Bourg




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#758516: Struts 1.2 should not be shipped with jessie

2014-08-18 Thread Moritz Muehlenhoff
Package: libstruts1.2-java
Severity: serious

Struts 1.x is EOLed upstream, it should not be included in jessie:
http://mail-archives.apache.org/mod_mbox/struts-announcements/201404.mbox/%3C535F5F52.4040108%40apache.org%3E

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.