Re: EOL candidates for security-support-ended.deb10 (libspring-java support)

[Sylvain Beucler <beuc@beuc.net>]

Hello Moritz,

On 05/08/2022 11:59, Moritz Mühlenhoff wrote:
> Am Wed, Aug 03, 2022 at 11:54:28AM +0200 schrieb Sylvain Beucler:
> > I think the following stretch EOL entries also apply to buster, because the
> > rationale still applies to the buster versions:
> > - libspring-java https://lists.debian.org/debian-lts/2021/12/msg00008.html
>
> For Spring we need a more general solution, it's not only becoming
> a problem when it reaches LTS, but it already a problem in testing.
>
> Upstream (VmWare) hardly discloses any information on security issues
> other than telling the version to update to. That bundled with the fact
> that even the versions in unstable (4.3) are now outside the supported
> range by upstream...

Thanks for your input.

(E)LTS needs to identify unsupportable packages, so that e.g. Freexian 
doesn't sell support contracts for those, hence why we need to mark this 
explicitly and early in debian-security-support.

I believe it is within the scope of LTS to help fix such issues more 
generally / at the source, so we could help.  Do you have a strategy in 
mind wrt libspring-java in Debian?
(for testing, in the link above Markus mentionned referencing it in the 
release notes on limitations in security support)

Cheers!
Sylvain Beucler
Debian LTS Team