Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #9982

Re: Security issue in groovy<2.5.0

From 殷啟聰 | Kai-Chung Yan <seamlikok@gmail.com>
Newsgroups linux.debian.maint.java
Subject Re: Security issue in groovy<2.5.0
Date 2017-09-06 18:10 +0200
Message-ID <umL3P-49l-1@gated-at.bofh.it> (permalink)
References (3 earlier) <uiMrv-3yF-1@gated-at.bofh.it> <uiNxf-4a9-11@gated-at.bofh.it> <ulhKy-45Y-9@gated-at.bofh.it> <ulSK6-1QU-3@gated-at.bofh.it> <um5nX-16D-13@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Hello Felix,

I agree that the changes are made into a single patch.

Now that no human being is actively maintaining this package, I think it is effectively orphaned. pkg-java team is unable to be responsible for the package because nobody *is* pkg-java. Changing the maintainer to Debian QA Group does not seem incorrect to me.

However, I'm curious about the situation when someone wants to upload a simple change to an orphaned package. Do people refrain from it or they simply do a non-maintainer upload?

Felix Natter 於 2017/9/5 上午3:35 寫道:
> 殷啟聰 | Kai-Chung Yan <seamlikok@gmail.com> writes:
>
>> Hello Natter,
> hi Kai,
> thanks for the reply.
>
> s/Natter/Felix/g ;-) (my first name is Felix)
>
>> Since it's just one commit, I suggest you put it as a patch in
>> `debian/patches`. When someone is updating the package to 2.5.0, she
>> can just remove it.
> There is already a 2.4.8-2 in the git pipeline (unreleased) by Miguel
> Landaeta (CC):
>   https://anonscm.debian.org/cgit/pkg-java/groovy.git
>
> In the corresponding bug for 2.4.8-2 (#871857) Miguel says:
>
> "I removed myself from uploaders list and prepared a tentative QA upload
> but I didn't upload it to the archive since the resulting package would
> be in violation of Debian Policy (§3.3 and §5.6.3). I'd appreciate if
> somebody else can step in as maintainer."
>
> Policy §5.6.3 says:
> "This is normally an optional field, but if the Maintainer control field
> names a group of people and a shared email address, the Uploaders field
> must be present and must contain at least one human with their personal
> email address."
>
> --> groovy currently only has:
>   Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
>  (no Uploader:)
> which seems to violate §5.6.3. So how can we make a policy-compliant
> team upload without becoming maintainer (I'd like to avoid taking over
> groovy maintainership if possible)?
>
> Shall we set
>   Maintainer: Debian QA Group <packages@qa.debian.org>
> according to Policy §3.3, even if we usually do team uploads?
>
> Other than that: @Miguel, @Emmanuel, @Kai: do you agree to make a simple
> 2.4.8-2 release with Miguel's changes only adding that patch?
>
> Thanks and Best Regards,

Back to linux.debian.maint.java | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Security issue in groovy<2.5.0 Felix Natter <fnatter@gmx.net> - 2017-08-17 20:20 +0200
  Re: Security issue in groovy<2.5.0 Felix Natter <fnatter@gmx.net> - 2017-08-26 18:20 +0200
    Re: Security issue in groovy<2.5.0 Emmanuel Bourg <ebourg@apache.org> - 2017-08-26 18:50 +0200
      Re: Security issue in groovy<2.5.0 Felix Natter <fnatter@gmx.net> - 2017-08-26 20:00 +0200
        Re: Security issue in groovy<2.5.0 Felix Natter <fnatter@gmx.net> - 2017-08-26 20:40 +0200
          Re: Security issue in groovy<2.5.0 Thorsten Glaser <t.glaser@tarent.de> - 2017-08-27 00:50 +0200
            Re: Security issue in groovy<2.5.0 Felix Natter <fnatter@gmx.net> - 2017-08-28 19:10 +0200
        Re: Security issue in groovy<2.5.0 Felix Natter <fnatter@gmx.net> - 2017-09-02 16:40 +0200
          Re: Security issue in groovy<2.5.0 殷啟聰 | Kai-Chung Yan <seamlikok@gmail.com> - 2017-09-04 08:10 +0200
            Re: Security issue in groovy<2.5.0 Felix Natter <fnatter@gmx.net> - 2017-09-04 21:40 +0200
              Re: Security issue in groovy<2.5.0 Miguel Landaeta <nomadium@debian.org> - 2017-09-05 22:00 +0200
              Re: Security issue in groovy<2.5.0 殷啟聰 | Kai-Chung Yan <seamlikok@gmail.com> - 2017-09-06 18:10 +0200
                Re: Security issue in groovy<2.5.0 Paul Wise <pabs@debian.org> - 2017-09-07 05:00 +0200
  Re: Security issue in groovy<2.5.0 Emmanuel Bourg <ebourg@apache.org> - 2017-08-26 18:20 +0200
    Re: Security issue in groovy<2.5.0 Felix Natter <fnatter@gmx.net> - 2017-09-07 20:50 +0200
      Re: Security issue in groovy<2.5.0 Emmanuel Bourg <ebourg@apache.org> - 2017-09-07 21:10 +0200

csiph-web