[xml/sgml-pkgs] Too many xerces versions in sarge: can we get rid of some?

[Steve Langasek]

--NKys6zTV8iyMJiwY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi folks,

We've noticed that there are a number of versions of xerces floating around
in testing right now; given that there's just been a security advisory for
xerces25, I think we should look at getting some of these removed from
testing prior to release.  What needs to happen before we can do that,
besides getting packages recompiled against xerces26?

The versions in testing that currently have reverse-dependencies are
xerces21, xerces23, and xerces25; I've pulled xerces24 and xerces26 out
since they're libraries with no reverse-deps, though of course xerces26 can
go back in if it's the version we want to use for sarge.

Removing xerces21 from sarge requires rebuilding or removing gdal and qgis.

Removing xerces23 requires rebuilding/removing libxml-xerces-perl.

Removing xerces25 requires rebuilding/removing xalan and anon-proxy.

How feasible is it to get these packages rebuilt?  If we can at least get
this down to two versions, that would be a big help; one version would be
ideal.  3 (or 5, as we had earlier) is excessive.

Can I go ahead and ask for xerces24 to be removed from unstable (or, let one
of the maintainers do so)?  If we are to target getting this down to one
version, is xerces26 the one to go for?

Thanks,
--=20
Steve Langasek
postmodern programmer

--NKys6zTV8iyMJiwY
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCRmveKN6ufymYLloRAqB/AKCYeHUoD1zHZM0UyUD29dCaToZNFQCgiZqr
Gn8QBSYtbOvgYfoLcMlNAhA=
=yh2l
-----END PGP SIGNATURE-----

--NKys6zTV8iyMJiwY--