[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: updating roundcube backports to 1.2.x?



Hi,

On Tue, 16 May 2017 at 07:01:45 +0200, Rhonda D'Vine wrote:
> * Rhonda D'Vine <rhonda@deb.at> [2017-05-03 10:39:35 CEST]:
>> * Guilhem Moulin <guilhem@guilhem.org> [2017-04-11 18:07:09 CEST]:
>>> When I last checked this last autumn, backporting all dependencies was
>>> too much work for us.
>> 
>> If it is considered too much work then that might be a good sign for
>> the future to rather avoid backporting it at all in the first place ...
>> 
>> I'm a bit uncertain on what to suggest to move forward here to get
>> things straightened out again.
> 
> May I get a response to how the people who feel roundcube should stay
> in backports see the issue?  Actually a silence doesn't move us forward
> here, and I consider removing roundcube from backports because it feels
> unmaintained if there is unwillingness to update it to the version from
> testing.

It's probably not a good excuse, but FWIW when I joined the team I
mostly offered to maintain the bpo to compensate for the missing
packages in Jessie.  Of course I'd prefer to follow upstream's fast
development pace, but I suppose I underestimated the amount of work
required  (esp. now at the end of the release cycle) to backport all
dependencies maintained by the PHP team.

> I will have to remove it in two week's time if I can't get any further
> response to avoid having unmaintained packages in backports.  And yes,
> just putting the security patches onto the backport feels a fair bit
> unmaintained to me/us.

If fact we were thinking about requesting removal [0] (also, sent to
backports-team@d.o, but there was no follow-up to Sandro's proposal from
either party).  In the meantime I'm backporting security fixes against
the 1.1.x branch so users of the jessie-bpo packages are not put at
risk.  (3 CVEs were filed in the last 6 months.)

Cheers,
-- 
Guilhem.

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847287#32

Attachment: signature.asc
Description: PGP signature


Reply to: