Re: Security issue in groovy<2.5.0

To: 殷啟聰 | Kai-Chung Yan <seamlikok@gmail.com>
Cc: Emmanuel Bourg <ebourg@apache.org>, debian-java@lists.debian.org, Miguel Landaeta <nomadium@debian.org>
Subject: Re: Security issue in groovy<2.5.0
From: Felix Natter <fnatter@gmx.net>
Date: Mon, 04 Sep 2017 21:35:46 +0200
Message-id: <[🔎] 87shg2i7e5.fsf@bitburger.home.felix>
In-reply-to: <[🔎] 7bd07718-4e5b-b90a-faf6-66452c13e72c@gmail.com> ("殷啟聰 | Kai-Chung Yan"'s message of "Mon, 4 Sep 2017 14:00:17 +0800")
References: <87valmm50y.fsf@bitburger.home.felix> <d6318a67-aeec-5ef8-de12-d20cccc361d1@apache.org> <87h8wuux0t.fsf@bitburger.home.felix> <0ebe9b8d-3152-5ac0-13e6-f0d173ac2415@apache.org> <87lgm6qktp.fsf@bitburger.home.felix> <[🔎] 87o9qt9nie.fsf@bitburger.home.felix> <[🔎] 7bd07718-4e5b-b90a-faf6-66452c13e72c@gmail.com>

殷啟聰 | Kai-Chung Yan <seamlikok@gmail.com> writes:

> Hello Natter,

hi Kai,
thanks for the reply.

s/Natter/Felix/g ;-) (my first name is Felix)

> Since it's just one commit, I suggest you put it as a patch in
> `debian/patches`. When someone is updating the package to 2.5.0, she
> can just remove it.

There is already a 2.4.8-2 in the git pipeline (unreleased) by Miguel
Landaeta (CC):
  https://anonscm.debian.org/cgit/pkg-java/groovy.git

In the corresponding bug for 2.4.8-2 (#871857) Miguel says:

"I removed myself from uploaders list and prepared a tentative QA upload
but I didn't upload it to the archive since the resulting package would
be in violation of Debian Policy (§3.3 and §5.6.3). I'd appreciate if
somebody else can step in as maintainer."

Policy §5.6.3 says:
"This is normally an optional field, but if the Maintainer control field
names a group of people and a shared email address, the Uploaders field
must be present and must contain at least one human with their personal
email address."

--> groovy currently only has:
  Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
 (no Uploader:)
which seems to violate §5.6.3. So how can we make a policy-compliant
team upload without becoming maintainer (I'd like to avoid taking over
groovy maintainership if possible)?

Shall we set
  Maintainer: Debian QA Group <packages@qa.debian.org>
according to Policy §3.3, even if we usually do team uploads?

Other than that: @Miguel, @Emmanuel, @Kai: do you agree to make a simple
2.4.8-2 release with Miguel's changes only adding that patch?

Thanks and Best Regards,
-- 
Felix Natter
debian/rules!

Reply to:

Follow-Ups:
- Re: Security issue in groovy<2.5.0
  - From: Miguel Landaeta <nomadium@debian.org>
- Re: Security issue in groovy<2.5.0
  - From: 殷啟聰 | Kai-Chung Yan <seamlikok@gmail.com>

References:
- Re: Security issue in groovy<2.5.0
  - From: Felix Natter <fnatter@gmx.net>
- Re: Security issue in groovy<2.5.0
  - From: 殷啟聰 | Kai-Chung Yan <seamlikok@gmail.com>

Prev by Date: Re: Security issue in groovy<2.5.0
Next by Date: Re: scala-tools-sbinary_0.4.2+2.11.M5-1_amd64.changes REJECTED
Previous by thread: Re: Security issue in groovy<2.5.0
Next by thread: Re: Security issue in groovy<2.5.0
Index(es):
- Date
- Thread