[Python-modules-team] Bug#927066: python-gdata: Should not ship with Buster

Dmitry Shachnev mitya57 at debian.org
Sun Apr 14 16:08:28 BST 2019

Package: python-gdata
Version: 2.0.18+dfsg1-2
Severity: serious
Tags: buster sid

I am uploader of python-gdata and my intention is that it should not be
part of Debian Buster release.

There are two main reasons for it:

1) It does not actually work anymore: Google has shut down most of gdata
API backends [1]. Some of them like the YouTube data API continue to work
as per deprecation policy, but will most likely be shutdown during Buster

2) It is insecure: it bundles an ancient version of tlslite, which
has known vulnerabilities: at least CVE-2014-3566, CVE-2013-0169 and
CVE-2011-3389. Newer version of tlslite has been removed from Debian
in 2014, so I cannot even unbundle it.

I have filed bugs for all reverse dependencies in May 2018. At the moment
of writing this all reverse dependencies have been removed from Buster.

I am also going to get it removed from Sid later.

[1]: https://developers.google.com/gdata/docs/directory

Dmitry Shachnev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20190414/f5a09657/attachment.sig>

More information about the Python-modules-team mailing list