Re: Security issue in groovy<2.5.0

To: debian-java@lists.debian.org
Cc: Felix Natter <fnatter@gmx.net>, Miguel Landaeta <nomadium@debian.org>
Subject: Re: Security issue in groovy<2.5.0
From: 殷啟聰 | Kai-Chung Yan <seamlikok@gmail.com>
Date: Thu, 7 Sep 2017 00:01:36 +0800
Message-id: <[🔎] 37f90ac1-3b98-7d6e-8411-c73b2612373e@gmail.com>
In-reply-to: <[🔎] 87shg2i7e5.fsf@bitburger.home.felix>
References: <87valmm50y.fsf@bitburger.home.felix> <d6318a67-aeec-5ef8-de12-d20cccc361d1@apache.org> <87h8wuux0t.fsf@bitburger.home.felix> <0ebe9b8d-3152-5ac0-13e6-f0d173ac2415@apache.org> <87lgm6qktp.fsf@bitburger.home.felix> <[🔎] 87o9qt9nie.fsf@bitburger.home.felix> <[🔎] 7bd07718-4e5b-b90a-faf6-66452c13e72c@gmail.com> <[🔎] 87shg2i7e5.fsf@bitburger.home.felix>

Hello Felix,

I agree that the changes are made into a single patch.

Now that no human being is actively maintaining this package, I think it is effectively orphaned. pkg-java team is unable to be responsible for the package because nobody *is* pkg-java. Changing the maintainer to Debian QA Group does not seem incorrect to me.

However, I'm curious about the situation when someone wants to upload a simple change to an orphaned package. Do people refrain from it or they simply do a non-maintainer upload?

Felix Natter 於 2017/9/5 上午3:35 寫道:
> 殷啟聰 | Kai-Chung Yan <seamlikok@gmail.com> writes:
>
>> Hello Natter,
> hi Kai,
> thanks for the reply.
>
> s/Natter/Felix/g ;-) (my first name is Felix)
>
>> Since it's just one commit, I suggest you put it as a patch in
>> `debian/patches`. When someone is updating the package to 2.5.0, she
>> can just remove it.
> There is already a 2.4.8-2 in the git pipeline (unreleased) by Miguel
> Landaeta (CC):
>   https://anonscm.debian.org/cgit/pkg-java/groovy.git
>
> In the corresponding bug for 2.4.8-2 (#871857) Miguel says:
>
> "I removed myself from uploaders list and prepared a tentative QA upload
> but I didn't upload it to the archive since the resulting package would
> be in violation of Debian Policy (§3.3 and §5.6.3). I'd appreciate if
> somebody else can step in as maintainer."
>
> Policy §5.6.3 says:
> "This is normally an optional field, but if the Maintainer control field
> names a group of people and a shared email address, the Uploaders field
> must be present and must contain at least one human with their personal
> email address."
>
> --> groovy currently only has:
>   Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
>  (no Uploader:)
> which seems to violate §5.6.3. So how can we make a policy-compliant
> team upload without becoming maintainer (I'd like to avoid taking over
> groovy maintainership if possible)?
>
> Shall we set
>   Maintainer: Debian QA Group <packages@qa.debian.org>
> according to Policy §3.3, even if we usually do team uploads?
>
> Other than that: @Miguel, @Emmanuel, @Kai: do you agree to make a simple
> 2.4.8-2 release with Miguel's changes only adding that patch?
>
> Thanks and Best Regards,

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Security issue in groovy<2.5.0
  - From: Paul Wise <pabs@debian.org>

References:
- Re: Security issue in groovy<2.5.0
  - From: Felix Natter <fnatter@gmx.net>
- Re: Security issue in groovy<2.5.0
  - From: 殷啟聰 | Kai-Chung Yan <seamlikok@gmail.com>
- Re: Security issue in groovy<2.5.0
  - From: Felix Natter <fnatter@gmx.net>

Prev by Date: Re: Security issue in groovy<2.5.0
Next by Date: Re: Security issue in groovy<2.5.0
Previous by thread: Re: Security issue in groovy<2.5.0
Next by thread: Re: Security issue in groovy<2.5.0
Index(es):
- Date
- Thread