Hi Chris, Quoting Chris Maj via Pkg-voip-maintainers (2025-04-14 10:01:29) > To address OP's security concerns -- there's been only 12 CVEs upstream in > 2023/2024, owing to much improved processes, automated tests, etc. These > continue to be patched in regular upstream releases once or twice a month. > > To address chief maintainer's concerns -- there's been several volunteers > over the past year on the mailing list.
What is needed is not promises but demonstrated praxis. We need a team that has demonstrated investing the needed skills and time to backport *any* CVEs *at all*, before we can commit to handling such expected rate of 12 CVEs per year. To avoid misunderstanding: I am *not* blaming the volunteers that have chimed in, specifically. I really don't know if they are all super enthusiastic and super skilled and have all simply waited for me to say "go!" in the appropriate way for us to blossom as a functional team. Whatever the cause, the team is not yet functional, and what the security team requested by filing this bugreport is that we *first* demonstrate capability in handling CVEs, and only *then* re-add the package to stable Debian. Also, freeze is tomorrow, and it takes at a minimum 3 days for a package to enter testing, so even if we somehow demonstrated capability today, we would still be too late to include it. Thanks for the interest, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ * Sponsorship: https://ko-fi.com/drjones [x] quote me freely [ ] ask before reusing [ ] keep private
