[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: EOL candidates for security-support-ended.deb10 (libspring-java support)

Hello Moritz,

On 05/08/2022 11:59, Moritz Mühlenhoff wrote:
Am Wed, Aug 03, 2022 at 11:54:28AM +0200 schrieb Sylvain Beucler:
I think the following stretch EOL entries also apply to buster, because the
rationale still applies to the buster versions:
- libspring-java https://lists.debian.org/debian-lts/2021/12/msg00008.html

For Spring we need a more general solution, it's not only becoming
a problem when it reaches LTS, but it already a problem in testing.

Upstream (VmWare) hardly discloses any information on security issues
other than telling the version to update to. That bundled with the fact
that even the versions in unstable (4.3) are now outside the supported
range by upstream...

Thanks for your input.

(E)LTS needs to identify unsupportable packages, so that e.g. Freexian doesn't sell support contracts for those, hence why we need to mark this explicitly and early in debian-security-support.

I believe it is within the scope of LTS to help fix such issues more generally / at the source, so we could help. Do you have a strategy in mind wrt libspring-java in Debian? (for testing, in the link above Markus mentionned referencing it in the release notes on limitations in security support)

Sylvain Beucler
Debian LTS Team

Reply to: