Am 12.01.26 um 09:48 schrieb Jonathan Dowland:
On Sat Jan 10, 2026 at 10:17 PM GMT, Gioele Barabucci wrote:
* SECURE: Known security issues must be fixed in unstable and stable in X days, or the FTP masters will permanently remove the library. (This may imply that the team is now the new upstream.)This is ambiguous (do you mean known security *fixes* must be applied, or an unpatched vulnerability must have a fix written too?) and is also a stronger requirement than has ever been applied to any component within Debian.
Where do you expect that security fixes come from if there is no more active upstream?
It appears that most major distros do not have a desire to keep GTK2 around, which basically means, Debian would have to become upstream.
Do we actually have the expertise for that? GTK is a non-trivial library. Michael
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature