Re: Unblock request for mantis
On Sun, Dec 14, 2008 at 07:42:22PM +0100, Luk Claes wrote:
> Patrick Schoenfeld wrote:
> > Hi,
> > today I've uploaded mantis 1.1.6 to experimental, but to summarize my
> > request: I really would like to see this version in Lenny.
> > Background:
> > mantis is a web-application that suffered from a lot of security
> > problems in the past. It has improved a lot, but still security is a
> > problem, because the code base of mantis (although much overworked) is
> > still quiet old. Quiet a lot of work against such problems had already
> > been done for the 1.1.2 release, which was "just in time" for Lenny.
> > With the 1.1.3 release the developers of mantis refined the form
> > security token implementation, to once at all fix some security issues
> > that popped up here and there without a proper solution.
> > As one might expect this rather intrusive change caused some regressions
> > in functionality, but since then _three_ releases was issued to fix
> > issues arised from this. It got a lot of testing (by me and by others)
> > and seems mature enough to use it in productive use.
> > I firmly believe, that - although the current version in Lenny is usable
> > too - our users would benefit much from this version of mantis. I also
> > believe that it would reduce the support burden, if we keep near to
> > upstream and that the security improvements would make the security
> > teams life easier.
> > mantis has no reverse dependencies and therefore it can't break or
> > disturb other packages in Debian.
> > With the above stated rationale I'd like to upload mantis 1.1.6 to
> > unstable in a day or two and ask you to let it migrate when the 10 days
> > of testing in unstable have passed w/o unfixable problems.
> Cc-ed Security Team for their input.