On 01/10/15 22:11, Kai Storbeck wrote: > Hi, > > Roundup 1.4.20-1.1 is still the version in stable. Roundup 1.5 was released a > few years back, and I need someone to help me with the final stages in > getting 1.5 in stretch, or getting it removed. > > > Roundup is a python web application with quite some vendored code (javascript > libs and fonts), 5 different licenses, and in 1.5.0 there is an offending > file that has an incompatible licensing, so I had to "dfsg" it. (is there a > verb for that?) > > During this work a security issue came along and this made me realise that > the architecture of roundup isn't exactly compatible with what I would expect > from a proper Debain package. > > We can create security updates for roundup, but that won't help any existing > user as all actual issue trackers are using a copy of the lib at the time of > their birth. > > I'm quite unsure on how to proceed here, but perhaps someone with more > experience can help me with the steps needed. >
Hello Python Application Team, I'm still reasonably at the same spot as I was in October 2015. Lets compare Roundup with Trac or Request-tracker4: Roundup is not designed to be customizable in the way Request Tracker (request-tracker4) is. The latter supports local customizations (in /usr/local) and plugins either from source, Debian packaged extensions; without having to rewrite any files from the package in /usr/share. Trac is only customizable through settings or extra plugins. Code is not changed, nor copied, IIUC. Roundup is intended to be copied and heavily customized, although I can see a very small niche where roundup would contain only an instantiated demo tracker in /usr/share (I.e. no customizable config/authorization). My advice: File a removal. I certainly have only partially enjoyed maintaining it. I'm open to filing an RFA instead of a removal, but I need some discussion with some people for a consensus. Kind Regards, Kai Storbeck
signature.asc
Description: OpenPGP digital signature
