[pkg-php-pear] Bug#831418: #831418 EOL: not to be released with Stretch

David Prévot taffit at debian.org
Sun Aug 21 18:17:37 UTC 2016

Control: severity -1 serious

Le 21/08/2016 à 02:26, Markus Frosch a écrit :
> On 25.07.2016 13:11, Markus Frosch wrote:

>> this is a interesting problem, while looking on the 3 dependent packages. (see below)
>> We have 3 choices to go on:
>> 1. Still provide zendframework 1 in a separated path, so it won't conflict with ZF2/3
>> 2. Embed needed code into the packages, and drop the full library

Both those proposals are not acceptable now that upstream dropped
security support for it. Given the amount of security issues patched
into zendframework regularly (we’ve made six stable update since Jessie
has been released, three or four via a DSA), keeping part of its code in
the archive without anyone to audit the code is not an option IMO. Maybe
the security team will have another opinion about it, but I believe they
are relying in the maintainers for those PHP classes.

>> 3. Remove all 3 packages from stretch

4. Wait for (or help) upstream to move away from deprecated code.

> I'd prefer not to remove zendframework from Debian.
> Downgrading bug to important.

Please, don’t hide issues. There is still time right now to get the
reverse dependencies in shape for Stretch, waiting for the freeze won’t
help anyone.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20160821/3b680da0/attachment.sig>

More information about the pkg-php-pear mailing list