Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.java > #8969 > unrolled thread
| Started by | Markus Koschany <apo@debian.org> |
|---|---|
| First post | 2016-03-29 23:30 +0200 |
| Last post | 2016-03-30 23:00 +0200 |
| Articles | 2 — 2 participants |
Back to article view | Back to linux.debian.maint.java
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: New oldstable-proposed-updates diff: tomcat6 6.0.45+dfsg-1~deb7u1 Markus Koschany <apo@debian.org> - 2016-03-29 23:30 +0200
Re: New oldstable-proposed-updates diff: tomcat6 6.0.45+dfsg-1~deb7u1 Moritz Mühlenhoff <jmm@inutil.org> - 2016-03-30 23:00 +0200
| From | Markus Koschany <apo@debian.org> |
|---|---|
| Date | 2016-03-29 23:30 +0200 |
| Subject | Re: New oldstable-proposed-updates diff: tomcat6 6.0.45+dfsg-1~deb7u1 |
| Message-ID | <ri9n4-3BH-5@gated-at.bofh.it> |
[Multipart message — attachments visible in raw view] — view raw
Am 29.03.2016 um 23:01 schrieb Moritz Mühlenhoff: > On Tue, Mar 29, 2016 at 10:03:56PM +0200, Markus Koschany wrote: >> The Security Team decided to mark the issues in Jessie as no-dsa because >> we only ship the servlet API and documentation in this release which >> can't be affected by security vulnerabilities at all. I wouldn't mind >> uploading the 6.0.45+dfsg-1~deb8u1 to Jessie but I think we can safely >> ignore the version number skew in this case. All Wheezy users who update >> to Jessie will keep 6.0.45+dfsg-1~deb7u1 for the servlet API and Jessie >> only users will continue to use 6.0.41. They will not be placed in a >> worse position. >> >> If you feel more comfortable with an updated source package in Jessie, I >> will gladly upload this one to Jessie. > > I missed the wheezy > jessie version skew aspect. In that case let's also > upgrade tomcat6 in jessie even though it's a NOP. > > But all those rdeps of libservlet2.5-java should really be upgraded > to libservlet3.1-java. > > Cheers, > Moritz [putting debian-java in the loop] I will upload a Jessie update of Tomcat 6 tomorrow. Please note that changing the rdeps of libservlet2.5-java to libservlet3.1-java is one of our goals for Stretch. [1] This is sometimes not an easy task because we also ship packages with specifications like osgi-compendium that support the Java servlet 2.5 API and above. See [2] for user voiced concerns. I don't think that libservlet2.5-java poses any security risk, so we should safely ignore this one in the future. Regards, Markus [1] https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-java-maintainers@lists.alioth.debian.org;tag=libservlet2.5-java [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801026
[toc] | [next] | [standalone]
| From | Moritz Mühlenhoff <jmm@inutil.org> |
|---|---|
| Date | 2016-03-30 23:00 +0200 |
| Message-ID | <rivnA-2si-1@gated-at.bofh.it> |
| In reply to | #8969 |
On Tue, Mar 29, 2016 at 11:23:30PM +0200, Markus Koschany wrote:
> Am 29.03.2016 um 23:01 schrieb Moritz Mühlenhoff:
> > On Tue, Mar 29, 2016 at 10:03:56PM +0200, Markus Koschany wrote:
> >> The Security Team decided to mark the issues in Jessie as no-dsa because
> >> we only ship the servlet API and documentation in this release which
> >> can't be affected by security vulnerabilities at all. I wouldn't mind
> >> uploading the 6.0.45+dfsg-1~deb8u1 to Jessie but I think we can safely
> >> ignore the version number skew in this case. All Wheezy users who update
> >> to Jessie will keep 6.0.45+dfsg-1~deb7u1 for the servlet API and Jessie
> >> only users will continue to use 6.0.41. They will not be placed in a
> >> worse position.
> >>
> >> If you feel more comfortable with an updated source package in Jessie, I
> >> will gladly upload this one to Jessie.
> >
> > I missed the wheezy > jessie version skew aspect. In that case let's also
> > upgrade tomcat6 in jessie even though it's a NOP.
> >
> > But all those rdeps of libservlet2.5-java should really be upgraded
> > to libservlet3.1-java.
> >
> > Cheers,
> > Moritz
>
> [putting debian-java in the loop]
>
> I will upload a Jessie update of Tomcat 6 tomorrow.
Ok.
> Please note that
> changing the rdeps of libservlet2.5-java to libservlet3.1-java is one of
> our goals for Stretch. [1]
Ok, nice.
Cheers,
Moritz
[toc] | [prev] | [standalone]
Back to top | Article view | linux.debian.maint.java
csiph-web