[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#917174: davmail: FTBFS with libjackrabbit-java 2.18.0

Hello Alex,

Am 04.01.19 um 13:16 schrieb Alexandre Rossi:
>>> unfortunately davmail fails to build from source with
>>> libjackrabbit-java 2.18.0. Long deprecated methods have been removed.
>>> Your package build-depends on a very old version of jackrabbit (2.4.3).
> This is too much work and I'm afraid if I do not get help I'll miss
> the 2019-02-12 - Soft-freeze deadline for davmail to be part of the
> Debian buster release. I'll continue working on this anyhow. My work
> will be regularly published at
> https://salsa.debian.org/debian/davmail/tree/httpclient4-api
> For davmail in buster, the options are :
> 1) let davmail being removed from buster (because it does not work
> with the newer libjackrabbit, because low popcon, because a backport
> can be made available later)
> 2) upload a libjackrabbit-old-java compatible with davmail and build
> against this (I can prepare this).
> 3) holding libjackrabbit-java 2.18 from reaching buster because it
> breaks its only rdep.
> 4) fixing the 1300+ compile errors before the soft freeze and ensure
> few regressions (unlikely I can do this by February as I'm learning
> libhttpclient-java and the davmail codebase at the same time)

Admittedly the upload happened on short notice and it was not my
intention to force you into porting davmail to a newer version of
jackrabbit-webdav. I think we can just prevent libjackrabbit-java 2.18
from moving to Buster which should solve this issue in the near-term.
However then we don't ship the current stable version of jackrabbit but
only an oldstable one that is maintained (at the moment) but will be EOL
during the Buster release cycle which is not so great either in my opinion.

I think the general problem is that upstream depends on an obsolete
version of jackrabbit-webdav, version 2.4.3, that has known security
vulnerabilities [1], CVE-2016-6801 and CVE-2015-1833. I only took care
of jackrabbit to make backports of security patches easier for all of
us. Ideally you should take care of jackrabbit too and maintain both
packages under the Java team umbrella. In any case I recommend to not
ship davmail in Bullseye if it can't be upgraded to supported versions
of jackrabbit and httpclient in the future.



[1] https://security-tracker.debian.org/tracker/source-package/jackrabbit

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: