Re: Transition from libcommons-httpclient-java to libhttpclient-java
Le 30/09/2015 20:19, Markus Koschany a écrit :
> I think we should file bug reports and start replacing
> libcommons-httpclient-java with libhttpclient-java.
I'm not convinced by the need to force this transition. Patching the
rare security issues requires much less resources than rewriting and
testing the HTTP code in the reverse dependencies. This time would be
better spent on more critical transitions (bouncycastle comes to mind,
where backporting security fixes can be really tedious due to the
frequent refactoring).
> There are more packages which should be removed (libservlet2.5-java
> comes to mind). More ideas?
- libservlet2.5-java is a low priority, it's mostly a build time
dependency and it consists mainly in codeless interfaces.
- keeping bouncycastle up to date is important, this package is a
potential time bomb
- the bnd transition isn't over yet
- asm3 should be removed since it isn't compatible with Java 8
- tomcat7 may have to go away in Stretch
- maven2, our most sensitive transition
- libcommons-net2-java can be replaced by libcommons-net-java (>= 3)
I feel like we have enough on our plate, adding even more work to avoid
applying a patch on commons-httpclient once a year doesn't sound optimal
to me.
Emmanuel Bourg
Reply to: