Re: Unblock request for mantis
Patrick Schoenfeld wrote:
> today I've uploaded mantis 1.1.6 to experimental, but to summarize my
> request: I really would like to see this version in Lenny.
> mantis is a web-application that suffered from a lot of security
> problems in the past. It has improved a lot, but still security is a
> problem, because the code base of mantis (although much overworked) is
> still quiet old. Quiet a lot of work against such problems had already
> been done for the 1.1.2 release, which was "just in time" for Lenny.
> With the 1.1.3 release the developers of mantis refined the form
> security token implementation, to once at all fix some security issues
> that popped up here and there without a proper solution.
> As one might expect this rather intrusive change caused some regressions
> in functionality, but since then _three_ releases was issued to fix
> issues arised from this. It got a lot of testing (by me and by others)
> and seems mature enough to use it in productive use.
> I firmly believe, that - although the current version in Lenny is usable
> too - our users would benefit much from this version of mantis. I also
> believe that it would reduce the support burden, if we keep near to
> upstream and that the security improvements would make the security
> teams life easier.
> mantis has no reverse dependencies and therefore it can't break or
> disturb other packages in Debian.
> With the above stated rationale I'd like to upload mantis 1.1.6 to
> unstable in a day or two and ask you to let it migrate when the 10 days
> of testing in unstable have passed w/o unfixable problems.
Cc-ed Security Team for their input.