[Python-modules-team] Bug#927066: python-gdata: Should not ship with Buster
Dmitry Shachnev
mitya57 at debian.org
Sun Apr 14 16:08:28 BST 2019
Package: python-gdata
Version: 2.0.18+dfsg1-2
Severity: serious
Tags: buster sid
I am uploader of python-gdata and my intention is that it should not be
part of Debian Buster release.
There are two main reasons for it:
1) It does not actually work anymore: Google has shut down most of gdata
API backends [1]. Some of them like the YouTube data API continue to work
as per deprecation policy, but will most likely be shutdown during Buster
lifetime.
2) It is insecure: it bundles an ancient version of tlslite, which
has known vulnerabilities: at least CVE-2014-3566, CVE-2013-0169 and
CVE-2011-3389. Newer version of tlslite has been removed from Debian
in 2014, so I cannot even unbundle it.
I have filed bugs for all reverse dependencies in May 2018. At the moment
of writing this all reverse dependencies have been removed from Buster.
I am also going to get it removed from Sid later.
[1]: https://developers.google.com/gdata/docs/directory
--
Dmitry Shachnev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20190414/f5a09657/attachment.sig>
More information about the Python-modules-team
mailing list