Hi Salvatore and Markus, On Thu, Feb 11, 2021 at 06:32:42AM +0100, Salvatore Bonaccorso wrote: [...] > On Thu, Feb 11, 2021 at 03:03:19AM +0100, Markus Koschany wrote: > [...] > > Am Mittwoch, den 10.02.2021, 22:03 +0100 schrieb Salvatore Bonaccorso: > > [...] > > > > > > I'm not fully in favor to have all the (build-)rdeps forced out of > > > Debian, that would likely not be a benefit as seems unfair to the > > > castle-game-engine, game-data-packager and neurodebian packages, but > > > still think having out xcftools out of bullseye would be the right > > > thing. > > > > > > > I believe it makes sense to remove xcftools from Debian because there is a > > lack > > of upstream support and development but I wouldn't be too aggressive about > > the > > removal at the moment. My intention is to send a patch to fix the open CVE > > in > > stable to you when we have addressed the remaining 32 bit issues. > > Yes that sounds fine. Admittely it was for us in dsa-needed only > because Hugo initially aimed to adress it across all suites top-down. > It might just be an option to include a fix once it is stable enough > via a point release. But we can look at it once you have a fix as well > for the 32bit issues. > > So thanks for working on it!
Thanks from my part too! Unfortunately I am struggling to find
time for Debian currently. I makes me feel bad, and I hope that I
will be able to come back soon.
Do you know if xcftools is only used as a build dependency, or is
it used by some end users directly? The popcon is not that low
and my fear is that, even after removing it from Debian, users
would continue to use it, installing from somewhere else,
effectively being at even higher risk than with the Debian
archive's (semi-) patched version.
Of course if we can't offer any support I guess it's still better
to get rid of it than giving a false impression of
support/security.
Best,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
