Jetty security issue?

[Greg Wilkins]

Hi security team and Jetty package maintainers,


I'm the main developer of the Jetty Java HTTP Server.

I have been contacted by a Nico Golde @ debian.org asking
about the availability of a fix for a security vulnerability for
the debian package of Jetty but that the maintainers had
no time to fix it.
  
  http://securitytracker.com/alerts/2006/May/1016168.html

I was totally unaware of any debian packages of Jetty and replied
to Nico asking if I could be put in contact with the package 
maintainers.

Nico then replied with attitude that I was wasting his time
because I hadn't told him if a specific version was 
vulnerable (5.0.10 - which is not the packaged version).
As I have no idea how these packages have been built or 
configured - I can't say if they are vulnerable or not

I don't have any knowledge of how debian processes work
nor if Nico was approaching us in any official capacity.
I don't know if the debian Jetty packages are officially
part of debian or not?

I don't really appreciate being accused of wasting the
time of others simply because they have taken my
software and then can't be bothered to maintain it
(I don't know if that is the case, but it is how it
was represented by Nico).

I have put the effort in to develop the package and
to quickly respond to all security vulnerabilities 
that I have received.   I don't see that I should 
be expected to provide the extra effort to help every
distributor include those fixes, if they are not
prepared to help me.

However, if somebody without attitude who knows about
debian wants to work with me, then I would be VERY please
to help make non-vulnerable packages of Jetty available
via debian.

regards