Control: severity -1 serious Le 21/08/2016 à 02:26, Markus Frosch a écrit : > On 25.07.2016 13:11, Markus Frosch wrote:
>> this is a interesting problem, while looking on the 3 dependent packages. >> (see below) >> >> We have 3 choices to go on: >> >> 1. Still provide zendframework 1 in a separated path, so it won't conflict >> with ZF2/3 >> 2. Embed needed code into the packages, and drop the full library Both those proposals are not acceptable now that upstream dropped security support for it. Given the amount of security issues patched into zendframework regularly (we’ve made six stable update since Jessie has been released, three or four via a DSA), keeping part of its code in the archive without anyone to audit the code is not an option IMO. Maybe the security team will have another opinion about it, but I believe they are relying in the maintainers for those PHP classes. >> 3. Remove all 3 packages from stretch 4. Wait for (or help) upstream to move away from deprecated code. > I'd prefer not to remove zendframework from Debian. > > Downgrading bug to important. Please, don’t hide issues. There is still time right now to get the reverse dependencies in shape for Stretch, waiting for the freeze won’t help anyone. Regards David
signature.asc
Description: OpenPGP digital signature
