[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: web2py

CCed to Debian security team, as I notice that the version of web2py in
jessie is the same version as in wheezy, so presumably they will have
the same issues.


Brian May <brian@linuxpenguins.xyz> writes:

> I am inclined to think that the code has changed so much since the
> wheezy version, that the current vulnerablities are unlikely to be
> applicable.
>
> Even if you take the view that they are unless proven otherwise, and you
> can positively identify the concerned patches (upstream doesn't appear
> to be helping yet here), I don't think it is going to be feasible to
> backport these changes to wheezy, due to the sigificant code base
> differences.
>
> https://github.com/web2py/web2py/issues/1585#issuecomment-284320439

Wondering what to do from here. I guess the options are:

1. Wait longer for upstream response.
2. Try backporting jessie version to wheezy and adding security fixes.
3. Try backporting stretch version to wheezy.
4. Try backporting sid version to wheezy.
5. Make web2py as unsupported in wheezy.

Any others?

Scratch option 2, the versions are the same in Jessie and Wheezy - both
have 1.99.7-1.

Scratch option 3, the package isn't in stretch. Probably due to an
outstanding RC bug
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842303.

For option 4, wheezy/jessie has version 1.99.7-1 and sid has 2.12.3-1
(latest upstream version is 2.14.6) - I imagine upgrading this might
have compatability issues. Not to mention that RC bug concerning
licensing.

Considering this won't be in the next release of Debian, I am inclined
to pick option 5.

Any comments?
-- 
Brian May <bam@debian.org>
Reply to: