Bug#758516: Struts 1.2 should not be shipped with jessie
Moritz Mühlenhoff
jmm at inutil.org
Sun Oct 12 20:13:39 UTC 2014
On Wed, Sep 17, 2014 at 01:50:36PM +0200, Emmanuel Bourg wrote:
> Le 17/09/2014 12:57, Moritz Muehlenhoff a écrit :
>
> > That's not how we handle in Debian: If a library is shipped in Debian,
> > it is fully supported to be used by local libs.
> >
> > Anything in /usr/local or installed through Maven is of course the responsibility
> > of the user.
> >
> > So we should go ahead with the removal of struts 1.2 by filing RC bugs against
> > the packages using it.
>
> Well that's sad because this is really a waste of time and our resources
> are desperately limited :( libstruts1.2-java is not a security threat as
> used by the other Debian libraries and applications, and upstream even
> provided a patch for CVE-2014-0114 [1][2] despite the EOL. I'd rather
> spend this time on other important issues.
Would it help if I upload NMUs for libspring-java and easyconf?
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list