On 23/08/2018 17:11, Markus Koschany wrote: > My concern is that we have an upstream project that does not even > consider such a trivial fix. Then we have another example of a > fire-and-forget one time upload (simple-xml) and now the package is > carried "by the team". carrotsearch-randomizedtesting is a > test-dependency for lucence4.10 and spatial4j, same pattern, one time > upload, now carried by the team. And when I see that we ship at least > three versions of lucene in Debian, then I suppose we still have some > room for improvements.
lucene2 is only used by eclipse, I hope we'll be able to remove both of them before Buster is released. With the new eclipse-* packages heading to unstable this is now a likely outcome. > The gist is: Better maintain few packages and do it well, instead of > maintaining many packages that just exist for collecting RC bugs. I agree. Not all CVEs are equally important though, here simple-xml is just a test dependency of another package and has a very low popcon, the vulnerability has no real impact on the Debian users. Emmanuel Bourg
