Bug#879002: Should the package be removed?
Markus Koschany
apo at debian.org
Fri Nov 3 20:19:56 UTC 2017
On Wed, 18 Oct 2017 13:29:19 +0200 Emmanuel Bourg <ebourg at apache.org> wrote:
> Upstream has moved to GitHub [1] and the last update was released in
> 2014 but the security issue is still not fixed [2].
>
> This was a dependency of Jenkins which is now gone. There is a slim
> chance that this package could be useful again in the future since it's
> a dependency of some Apache projects (Zeppelin, Atlas, Ranger and Knox).
>
> Emmanuel Bourg
>
> [1] https://github.com/kohsuke
> [2] https://github.com/kohsuke/libpam4j/issues/18
Apparently Red Hat patched their libpam4j package but they didn't
forward the patch upstream.
https://bugzilla.redhat.com/show_bug.cgi?id=1503103
Actually I agree with Raphael. The software is unmaintained upstream and
unused in Debian. It's rather scary that other projects depend on it,
especially when it comes to security sensitive matters like PAM. In the
end it can always be reintroduced if someone really intends to maintain it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20171103/1c26ca13/attachment-0003.sig>
More information about the pkg-java-maintainers
mailing list