Re: [Secure-testing-team] py-asterisk REMOVED from testing
Faidon Liambotis wrote:
Luk Claes wrote:
Because asterisk maintainers apparantly aren't interesting in making
sure stable and secure packages reach testing as this is already taking
months and even before the release these packages were more than once in
a very bad shape, I thought they wouldn't mind... I guess I was wrong,
though I can still be convinced to remove all their packages from
testing if I was right after all...
Please, pretty please can someone preferably more than one take care of
the VOIP packages appropriately so removals of testing and release team
wasting time on them is not necessary anymore, TIA!
I have tried fixing all of the security bugs of asterisk.
We've already had security uploads on both sarge and etch recently
Unfortunately, asterisk in lenny was FTBFSing because of missing or
changed dependencies so I couldn't make an upload to testing-security,
even though the version is exactly the same as of etch.
It was FTBFSing because of a removed build dependency which apparantly
was fixed in unstable but not in testing...
Since then, I'm trying to get asterisk to migrate with no success.
We've had many problems unrelated to asterisk itself that had to fix or
workaround, such as a binutils bug (#440015) a gcc-4.2 bug (#445336)
and, of course, the lbl128 transition.
Which is of course a bit late, but thanks for trying to sort out the
Asterisk is quite hard to get to testing because of the vast amount of
build-deps. Right now, it's blocked by net-snmp, perl, krb5 and gtk-2.0.
That means you should try to get a stable version into testing and keep
that maintained for library transitions while you prepare and stabilise
a next candidate for stable (new upstream and/or less important changes)
in experimental and coordinate with maintainers of these build-deps on
when it's a good time to upload it to unstable... IMHO
If you think there are some other pending issues, please say so and I
will handle them personally.
The issue now is that people cannot install asterisk in testing and
people who already have it installed have a vulnerable version... though
I'm confident you'll try to fix that ;-)