Bug#983876: marked as done (unblock: otrs2/6.0.32-1)

To: Paul Gevers <elbrus@debian.org>
Subject: Bug#983876: marked as done (unblock: otrs2/6.0.32-1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Tue, 02 Mar 2021 18:42:06 +0000
Message-id: <[🔎] handler.983876.D983876.161471032729335.ackdone@bugs.debian.org>
Reply-to: 983876@bugs.debian.org
References: <57e62486-0803-6ef0-a42c-0cebef04bf8a@debian.org> <[🔎] 161470070900.20767.10104533608263216307.reportbug@srv1.linux-dev.org>

Your message dated Tue, 2 Mar 2021 19:38:43 +0100
with message-id <57e62486-0803-6ef0-a42c-0cebef04bf8a@debian.org>
and subject line Re: Bug#983876: unblock: otrs2/6.0.32-1
has caused the Debian Bug report #983876,
regarding unblock: otrs2/6.0.32-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
983876: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983876
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: otrs2/6.0.32-1
From: Patrick Matthäi <pmatthaei@debian.org>
Date: Tue, 02 Mar 2021 16:58:29 +0100
Message-id: <[🔎] 161470070900.20767.10104533608263216307.reportbug@srv1.linux-dev.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hello release team,

I try to citize from my mails to the security team:, it's about #982927:


Yesterday I had a videocall with the owner and lead developer of OTOBO. They
want to support me keeping the otrs2 source package in a good shape for
Bullseye, so that users of the package dont have to worry now.
Kicking the package out of Debian would not be optimal.
They also showed me https://github.com/znuny/Znuny (https://www.znuny.com/) - they
also forked OTRS CE 6 and fixing bugs and security bugs, also all known open bugs
in CVE/Debian atm. So the plan would be now:
* Switch the source of the otrs2 package to the znuny one, so that we have releases
  based on an open(source) maintained safe codebase => can I get the go from you for that?
* otrs packaging at all is obsolete for bullseye+1. I will package otobo, also with
  otobo support, and we will work on a easy way so that users later can migrate
  from otrs to otobo
We also spoke about the open security issues, there is indeed one in the CKEditor, but:
#980891:
They way otrs uses this library it should not be possible to attack the user, mostly only the attacker himself
#982586:
Thats a wrong information from the OTRS AG, because it does not affect otrs 6 CE.
It depends on that you use an external interface, which is available in OTRS 7 and 8
(not free) and maybe in the not-free otrs 6 package via addon, but not in the community edition, which is also packaged in Debian.

XXXXXX itself is not helpful at all anymore and just wrote me **************
I hope switching as fast as possible to the znuny fork for the otrs2 source package is also an option for you, I dont want to release bullseye without it 


-----

I just uploaded the otrs2 6.0.32 package to experimental.  Could I have your ACK for bullseye? :-)

-- System Information:
Debian Release: 10.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-14-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---

--- Begin Message ---

To: Patrick Matthäi <pmatthaei@debian.org>, 983876-done@bugs.debian.org

Subject: Re: Bug#983876: unblock: otrs2/6.0.32-1

From: Paul Gevers <elbrus@debian.org>

Date: Tue, 2 Mar 2021 19:38:43 +0100

Message-id: <57e62486-0803-6ef0-a42c-0cebef04bf8a@debian.org>

In-reply-to: <[🔎] 161470070900.20767.10104533608263216307.reportbug@srv1.linux-dev.org>

References: <[🔎] 161470070900.20767.10104533608263216307.reportbug@srv1.linux-dev.org>
Hi Patrick,

On 02-03-2021 16:58, Patrick Matthäi wrote:
> I just uploaded the otrs2 6.0.32 package to experimental.  Could I have your ACK for bullseye? :-)

otrs2 is neither a key package [1], nor listed on the (build-)essential
list [1]. As long as you follow the soft freeze rules [3] and ensure
that the package migrates before the start of the hard freeze
(12-03-2021), there is nothing for us to unblock. I'm wondering if and
suspect that you are asking our permission to upload a new upstream
source. It's hardly doable for us to do that for all packages in Debian,
so we expect you honor the freeze rules and make the judgement yourself
if a new upstream version for your package is appropriate at this state.

Paul

[1] https://udd.debian.org/cgi-bin/key_packages.yaml.cgi
[2] https://release.debian.org/bullseye/essential-and-build-essential.txt
[3] https://release.debian.org/bullseye/freeze_policy.html#soft
Attachment: OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---

Reply to:

References:
- Bug#983876: unblock: otrs2/6.0.32-1
  - From: Patrick Matthäi <pmatthaei@debian.org>

Prev by Date: Bug#983876: unblock: otrs2/6.0.32-1
Next by Date: Bug#983071: unblock: xz-utils/5.2.5-1.1
Previous by thread: Bug#983876: unblock: otrs2/6.0.32-1
Next by thread: Bug#983876: unblock: otrs2/6.0.32-1
Index(es):
- Date
- Thread