On Mon, Jun 08, 2026 at 09:11:00PM +0200, Chris Hofstaedtler wrote:
> Hi,
>
> I'm not against marking ply unsupported, but I must say the CVE is
> very questionable.
It's marked as bogus in the security tracker. I don't think we should
start declaring random packages which are dead upstream as unsupported,
that won't scale and is also not the right course of action. We have
100s of other packages which no longer have an active upstream and
if there's ever a genuine security issue for ply we can look into
fixes ourselves.
> Also: why is there no bug against src:ply?
Given the package is dead upstream, I think a sensible step would
be to investigate alternatives and if they have are packaged, file
bugs against the rdeps.
Cheers,
Moritz
