On Wed, 22 Nov 2023 17:24:06 -0500 Daniel Kahn Gillmor
<d...@fifthhorseman.net> wrote:
Package: src:sop-java
Version: 4.1.0
Control: affects -1 + pgpainless-cli
Hi folks--
sop-java 4.1.2 is available upstream, and should be a relatively
straightforward update in Debian.
As are several substantially newer versions, but the newer ones look
like they might be semver incompatible, so for the purposes of keeping
the 1.3.* series of pgpainless-cli in debian they are probably not
advisable to upgrade until the newer version of bouncycastle lands in
unstable, see #1049356.
The 1.3.* series of pgpainless doesn't build with bouncycastle-1.77,
which has been uploaded in Debian recently, so I think we don't have
much choice but to bring both sop-java and pgpainless to the latest
versions.
However, sop-java upstream have ported their code to Kotlin, and I'm not
sure whether its feasible to keep it in Debian anymore since Kotlin,
although in Debian currently, is quite new and has two unfixed CVEs
against it.
I also couldn't find any other Kotlin projects in Debian which
build-depend on Kotlin (aside from Kotlin itself and some related plugins).
What do you think?
-- Jérôme
