On 24.03.2015 12:30, Emmanuel Bourg wrote: > I don't think this is a good idea. commons-httpclient is a very popular > library, even in its older incarnation. Removing it could make it harder > to bring new libraries or applications to Debian. >
Hi, well, this contradicts what Debian already recommends to users. The package description of libhttpclient-java states: "HttpComponents Client is a successor of and replacement for Commons HttpClient 3.x. Users of Commons HttpClient are strongly encouraged to upgrade." It will be much harder in the future to fix security issues when there is no upstream support and apparently commons-httpclient won't be developed anymore in favor of libhttpclient-java and Co. The dependencies should be changed whenever possible to the new and maintained implementation because this is what we do for all libraries and applications across the distribution. There will be cases where it is not as simple but at least we should try to reduce the security risk and maintenance burden. Regards, Markus
signature.asc
Description: OpenPGP digital signature
