[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: remaining CVEs on libspring-java

On Thu, Jun 06, 2019 at 12:06:42AM -0400, Roberto C. Sánchez wrote:
> On Tue, Jun 04, 2019 at 12:56:21PM +0200, Markus Koschany wrote:
> 
> > The Spring framework is a very fine but
> > also complex web framework. We use many parts of it as
> > build-dependencies for other packages. I don't believe that a serious
> > Java developer will build web applications with our Spring package, and
> > a look into packages-to-support seems to confirm my suspicion. I would
> > upload what has already been fixed and then follow Stretch.
> > 
> Your mention of packages-to-support caused me to go look, where I found
> that libspring-java is not listed.  That makes me think that it was
> mistakenly added to dla-needed.txt.  Given that it should not have been
> listed in the first place, that supports wrapping up and uploading the
> work that I have done up to this point without going any further.
> 
Emilio and Mike pointed out to me in IRC that I was misunderstanding the
role of packages-to-support in LTS.  Thanks to them for explaining the
situation to me.

That said, I'll still go ahead with your recommendation.

Regards,

-Roberto

-- 
Roberto C. Sánchez
Reply to: