Package: release.debian.org
Severity: normal
X-Debbugs-Cc: beast-mcmc@packages.debian.org
Control: affects -1 + src:beast-mcmc
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package beast-mcmc
[ Reason ]
beast-mcmc source is affected by important bug #1103836 raised
by the Security Team: beast-mcmc source up to 1.10.4+dfsg-6
build depends on libitext1-java which is obsolete for a while.
Upon investigation, it seems that the remaining build dependency
on libitext1-java was an oversight, as the build process also
transitively depends on the contemporary libitext5-java, and
seemingly uses this version for the resulting binaries. I have
removed the build dependency on libitext1-java in the package
version available in sid. I'm under the impression that it
would be beneficial to have this change brought to trixie, in
order to allow the removal of libitext1-java from the archive
starting with trixie.
[ Impact ]
It has been mentionned that beast-mcmc is the last package to
make the presence of libitext1-java necessary in the archive.
If the unblock is not granted, it will continue to be necessary
to the trixie release, with the implication of having an
outdated package around with regards to its lack of security
support.
[ Tests ]
The package ships a suite of unit tests which is not enabled.
In order to have some confidence that the build dependency
removal has not caused damages, I have run the test suite on
1.10.4+dfsg-6 and 1.10.4+dfsg-7, and verified that there were no
regressions. I alse examined differences in binary packages at
the diffoscope, and have witnessed nothing apart from changes in
timestamps, suggesting that the build process has not been
affected by the removal of libitext1-java. The newer package
version is also available for 11 days already.
[ Risks ]
The change is one line, but may not have trivial consequences;
this is mitigated by verifying there were no regressions and
binary artifacts examination with diffoscope. I am not an end
user of beast-mcmc and cannot tell whether it is in working
conditions or not, but no user raised any alert to the Debian
Med team about a regression of the package in the past 11 days,
since the change is available in sid.
[ Checklist ]
[*] all changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in testing
[ Other info ]
debdiff is inline, given how short it is:
-------8<--------------8<--------------8<--------------8<-------
diff -Nru beast-mcmc-1.10.4+dfsg/debian/changelog beast-mcmc-1.10.4+dfsg/debian/changelog
--- beast-mcmc-1.10.4+dfsg/debian/changelog 2024-12-21 17:38:11.000000000 +0100
+++ beast-mcmc-1.10.4+dfsg/debian/changelog 2025-06-17 22:28:38.000000000 +0200
@@ -1,3 +1,10 @@
+beast-mcmc (1.10.4+dfsg-7) unstable; urgency=medium
+
+ * Team upload.
+ * d/control: remove dependency to libitext1-java. (Closes: #1103836)
+
+ -- Étienne Mollier <emollier@debian.org> Tue, 17 Jun 2025 22:28:38 +0200
+
beast-mcmc (1.10.4+dfsg-6) unstable; urgency=medium
* Fix clean target
diff -Nru beast-mcmc-1.10.4+dfsg/debian/control beast-mcmc-1.10.4+dfsg/debian/control
--- beast-mcmc-1.10.4+dfsg/debian/control 2024-12-21 17:38:11.000000000 +0100
+++ beast-mcmc-1.10.4+dfsg/debian/control 2025-06-17 22:28:38.000000000 +0200
@@ -21,7 +21,6 @@
libjdom1-java,
junit4,
libmtj-java,
- libitext1-java,
libejml-java (>= 0.41),
libjlapack-java
Standards-Version: 4.7.0
-------8<--------------8<--------------8<--------------8<-------
unblock beast-mcmc/1.10.4+dfsg-7
Have a nice day, :)
--
.''`. Étienne Mollier <emollier@debian.org>
: :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da
`. `' sent from /dev/pts/2, please excuse my verbosity
`-
Attachment:
signature.asc
Description: PGP signature