On Tue, 10 Aug 2021, Markus Koschany wrote: > Currently I don't plan to update the bpo version of Tomcat 9 in Buster. If you > prefer the latest updates then I'd suggest to focus on bullseye-backports from
I think you misunderstood the intention of this request. Packages in $version-backports have to be up-to-date wrt. their corresponding packages from $(version+1), except small, not very user-visible, etc. changes. In the case of security updates, this is even more important. The person who uploaded the first backport basically agreed to keep the tomcat9 backport up-to-date over the lifetime of buster-backports, that is, to approximately 14/15ᵗʰ August 2022(!). > now on. I am not sure yet if the regression which I have fixed in > 9.0.43-3 requires another security update for bullseye or buster at > the moment, since an easy workaround is available and probably not > many users are affected. I will monitor the situation though. Right. However, if you’re not intending to update the buster backport, please file a removal request and inform the users (via the bpo mailing list) about this and the extant security issues in the version they have installed. Thanks, //mirabilos ObPlug: http://www.mirbsd.org/~tg/Debs/dists/buster/lts/Pkgs/tomcat9/ is what I try to keep reasonably up to date. It also contains the sysvinit fixes. It’s built in a bullseye chroot though, and as such does NOT follow the bpo rules. It’s a works-for-me thing which one MAY use if they want, at their own risk. -- Infrastrukturexperte • tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/ Telephon +49 228 54881-393 • Fax: +49 228 54881-235 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg ************************************************* Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter *************************************************
