Am Dienstag, dem 10.08.2021 um 22:47 +0200 schrieb Thorsten Glaser: > On Tue, 10 Aug 2021, Markus Koschany wrote: > > > Currently I don't plan to update the bpo version of Tomcat 9 in Buster. If > > you > > prefer the latest updates then I'd suggest to focus on bullseye-backports > > from > > I think you misunderstood the intention of this request. > > Packages in $version-backports have to be up-to-date wrt. > their corresponding packages from $(version+1), except > small, not very user-visible, etc. changes. > > In the case of security updates, this is even more important. > > The person who uploaded the first backport basically agreed > to keep the tomcat9 backport up-to-date over the lifetime of > buster-backports, that is, to approximately 14/15ᵗʰ August 2022(!). > > > now on. I am not sure yet if the regression which I have fixed in > > 9.0.43-3 requires another security update for bullseye or buster at > > the moment, since an easy workaround is available and probably not > > many users are affected. I will monitor the situation though. > > Right. > > However, if you’re not intending to update the buster backport, > please file a removal request and inform the users (via the bpo > mailing list) about this and the extant security issues in the > version they have installed. I have never uploaded tomcat9 to a debian-backports suite hence why I have only replied to the debian-java list. Obviously you should wait for Emmanuel's feedback before doing anything. Regards, Markus
Attachment:
signature.asc
Description: This is a digitally signed message part