Le 30/12/2014 00:29, Jonathan Wiltshire a écrit : > I certainly can't review a diff of this size. Out of our usual other > options, it sounds like you can't isolate targetted fixes, and removal > would impact a large number of dependent packages. > > Do you have any other suggestions? Maybe we could let the version 3.2 enter unstable and be exposed to more tests for a couple of weeks before we decide to either ignore or accept it for Jessie? I already verified that the reverse dependencies build fine with the new version and I'm confident the compatibility is excellent, but it would be good to confirm this with some real world experience. > (I must confess to being a bit disappointed that if 3.0.x is no longer > supported upstream, some sort of 3.2 package didn't get uploaded until > two days before the freeze started. Even 3.2.5 was released over a year > ago now.) Packaging the new version was a significant effort. It required several new dependencies and the build system changed completely. At least 3 persons worked on this task over the past year. I guess we lacked a stronger incentive to complete the work earlier, no package required a more recent release and the other vulnerabilities were better documented and easier to backport. Unfortunately these CVEs came a bit late in the development cycle to allow us to handle them properly. I admit that I'm also frustrated we weren't able to avoid this situation because the transition to 3.2 is rather smooth once the new version is packaged. At least I'll ensure Jessie+1 ships with Spring 4.1.x or later to avoid a similar issue in the future. Emmanuel Bourg
Attachment:
signature.asc
Description: OpenPGP digital signature