On Wed, Sep 17, 2014 at 01:50:36PM +0200, Emmanuel Bourg wrote:
> Le 17/09/2014 12:57, Moritz Muehlenhoff a écrit :
>
> > That's not how we handle in Debian: If a library is shipped in Debian,
> > it is fully supported to be used by local libs.
> >
> > Anything in /usr/local or installed through Maven is of course the
> > responsibility
> > of the user.
> >
> > So we should go ahead with the removal of struts 1.2 by filing RC bugs
> > against
> > the packages using it.
>
> Well that's sad because this is really a waste of time and our resources
> are desperately limited :( libstruts1.2-java is not a security threat as
> used by the other Debian libraries and applications, and upstream even
> provided a patch for CVE-2014-0114 [1][2] despite the EOL. I'd rather
> spend this time on other important issues.
Would it help if I upload NMUs for libspring-java and easyconf?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
