Hi, On Tue, 16 May 2017 at 07:01:45 +0200, Rhonda D'Vine wrote: > * Rhonda D'Vine <rhonda@deb.at> [2017-05-03 10:39:35 CEST]: >> * Guilhem Moulin <guilhem@guilhem.org> [2017-04-11 18:07:09 CEST]: >>> When I last checked this last autumn, backporting all dependencies was >>> too much work for us. >> >> If it is considered too much work then that might be a good sign for >> the future to rather avoid backporting it at all in the first place ... >> >> I'm a bit uncertain on what to suggest to move forward here to get >> things straightened out again. > > May I get a response to how the people who feel roundcube should stay > in backports see the issue? Actually a silence doesn't move us forward > here, and I consider removing roundcube from backports because it feels > unmaintained if there is unwillingness to update it to the version from > testing. It's probably not a good excuse, but FWIW when I joined the team I mostly offered to maintain the bpo to compensate for the missing packages in Jessie. Of course I'd prefer to follow upstream's fast development pace, but I suppose I underestimated the amount of work required (esp. now at the end of the release cycle) to backport all dependencies maintained by the PHP team. > I will have to remove it in two week's time if I can't get any further > response to avoid having unmaintained packages in backports. And yes, > just putting the security patches onto the backport feels a fair bit > unmaintained to me/us. If fact we were thinking about requesting removal [0] (also, sent to backports-team@d.o, but there was no follow-up to Sandro's proposal from either party). In the meantime I'm backporting security fixes against the 1.1.x branch so users of the jessie-bpo packages are not put at risk. (3 CVEs were filed in the last 6 months.) Cheers, -- Guilhem. [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847287#32
Attachment:
signature.asc
Description: PGP signature