Bug#942814: libhibernate-validator-java: update to 5.3.6 breaks reverse-dependencies

Markus Koschany apo at debian.org
Sat Sep 26 14:31:27 BST 2020


Am 26.09.20 um 10:27 schrieb Emmanuel Bourg:
> On 25/09/2020 13:50, Markus Koschany wrote:
> 
>> Why did you upgrade hibernate-validator to version 5.x when
>> no other package in Debian requires it? Wouldn't it have been 
>> simpler to revert the upgrade instead of creating a separate
>> hibernate-validator4 package?
> 
> The version 5.x is a prerequisite to upgrade Spring to the next major
> release. Also the version 4.x is no longer supported and security issues
> are frequently reported. The idea is to use libhibernate-validator4-java
> as a transitional package until all reverse dependencies are updated to
> use the version 5.x.

That sounds like a sensible reason to upgrade a package. Though when I
look closer into the details I find only four reported security
vulnerabilities in the past six years. The last two in 2019 and 2020 did
only affect the 5.x and later versions specifically which is rather an
argument against upgrading hibernate-validator.

So the real reason for 5.x is to upgrade Spring which is also fine.
However the update has not materialized so far but in the meantime
pdfsam was broken in two Ubuntu releases and unstable. I would recommend
to upload such a package to experimental first or release it to unstable
when the complete work is done. I believe this all could have been
avoided if you had outlined your goals beforehand or if you had
responded to this bug report in time. Then we both could actually seek
for a solution to make this work. The current situation is a bit
demotivating though because I don't want to guess why something is
broken and I don't want to invest time to clean up the fallout when the
key problem is communication.

I will switch pdfsam to use libhibernator-validator4-java now but I can
only address this problem when libsejda-commons-java has been approved
by the ftp team. This may take a while.

Markus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20200926/53ff3efc/attachment.sig>


More information about the pkg-java-maintainers mailing list