[Python-modules-team] Bug#927066: python-gdata: Should not ship with Buster
Scott Kitterman
debian at kitterman.com
Sun Apr 14 16:52:15 BST 2019
On Sunday, April 14, 2019 06:08:28 PM Dmitry Shachnev wrote:
> Package: python-gdata
> Version: 2.0.18+dfsg1-2
> Severity: serious
> Tags: buster sid
>
> I am uploader of python-gdata and my intention is that it should not be
> part of Debian Buster release.
>
> There are two main reasons for it:
>
> 1) It does not actually work anymore: Google has shut down most of gdata
> API backends [1]. Some of them like the YouTube data API continue to work
> as per deprecation policy, but will most likely be shutdown during Buster
> lifetime.
>
> 2) It is insecure: it bundles an ancient version of tlslite, which
> has known vulnerabilities: at least CVE-2014-3566, CVE-2013-0169 and
> CVE-2011-3389. Newer version of tlslite has been removed from Debian
> in 2014, so I cannot even unbundle it.
>
> I have filed bugs for all reverse dependencies in May 2018. At the moment
> of writing this all reverse dependencies have been removed from Buster.
>
> I am also going to get it removed from Sid later.
>
> [1]: https://developers.google.com/gdata/docs/directory
Sounds like a great plan.
I'd suggest starting now with removals/updates for the rdepends from Sid. If
it's going to go away, the sooner the better.
Scott K
More information about the Python-modules-team
mailing list