Bug#758516: Struts 1.2 should not be shipped with jessie
Emmanuel Bourg
ebourg at apache.org
Wed Sep 17 11:50:36 UTC 2014
Le 17/09/2014 12:57, Moritz Muehlenhoff a écrit :
> That's not how we handle in Debian: If a library is shipped in Debian,
> it is fully supported to be used by local libs.
>
> Anything in /usr/local or installed through Maven is of course the responsibility
> of the user.
>
> So we should go ahead with the removal of struts 1.2 by filing RC bugs against
> the packages using it.
Well that's sad because this is really a waste of time and our resources
are desperately limited :( libstruts1.2-java is not a security threat as
used by the other Debian libraries and applications, and upstream even
provided a patch for CVE-2014-0114 [1][2] despite the EOL. I'd rather
spend this time on other important issues.
Emmanuel Bourg
[1] https://svn.apache.org/r1603882
[2] https://svn.apache.org/r1603883
More information about the pkg-java-maintainers
mailing list