On 01/10/15 22:11, Kai Storbeck wrote: > Hi, > > Roundup 1.4.20-1.1 is still the version in stable. Roundup 1.5 was released a few years back, and I need someone to help me with the final stages in getting 1.5 in stretch, or getting it removed. > > > Roundup is a python web application with quite some vendored code (javascript libs and fonts), 5 different licenses, and in 1.5.0 there is an offending file that has an incompatible licensing, so I had to "dfsg" it. (is there a verb for that?) > > During this work a security issue came along and this made me realise that the architecture of roundup isn't exactly compatible with what I would expect from a proper Debain package. > > We can create security updates for roundup, but that won't help any existing user as all actual issue trackers are using a copy of the lib at the time of their birth. > > I'm quite unsure on how to proceed here, but perhaps someone with more experience can help me with the steps needed. > Hello Python Application Team, I'm still reasonably at the same spot as I was in October 2015. Lets compare Roundup with Trac or Request-tracker4: Roundup is not designed to be customizable in the way Request Tracker (request-tracker4) is. The latter supports local customizations (in /usr/local) and plugins either from source, Debian packaged extensions; without having to rewrite any files from the package in /usr/share. Trac is only customizable through settings or extra plugins. Code is not changed, nor copied, IIUC. Roundup is intended to be copied and heavily customized, although I can see a very small niche where roundup would contain only an instantiated demo tracker in /usr/share (I.e. no customizable config/authorization). My advice: File a removal. I certainly have only partially enjoyed maintaining it. I'm open to filing an RFA instead of a removal, but I need some discussion with some people for a consensus. Kind Regards, Kai Storbeck
Attachment:
signature.asc
Description: OpenPGP digital signature