tomcat6 wheezy DSA (was/and Re: tomcat6_6.0.41-2+squeeze5_amd64.changes REJECTED

Sun Nov 23 21:09:14 UTC 2014

On 11/23/2014 12:03 PM, Holger Levsen wrote:
> Hi Adam,
> 
> On Sonntag, 23. November 2014, Adam D. Barratt wrote:
>> On Sun, 2014-11-23 at 19:43 +0100, Holger Levsen wrote:
>>> oh, "btw": jessie has -2, sid -3, with changes unsuitable for wheezy and
>>> targeted at jessie. this needs an unblock request to let -3 migrate to
>>> jessie and have the binaries removed from sid first... anybody doing
>>> this?
>>
>> It needs more than that; from the cruft-report:
> 
> that's the cruft report for which distro?
> 
>> * package libtomcat6-java in version 6.0.41-2 is no longer built from
>> source [...]
>>   - broken Depends:
>>     tomcat-maven-plugin: libtomcat-maven-plugin-java
> 
> both are in wheezy
> 
>> * package tomcat6 in version 6.0.41-2 is no longer built from source
>> [...]
>>   - broken Depends:
>>     biomaj-watcher/contrib: biomaj-watcher
>>     guacamole-client: guacamole-tomcat
> 
> both are in wheezy
> 
>>     jspwiki/contrib: jspwiki
> 
> jspwiki I can only find in unstable...
> 
>>   - broken Build-Depends:
>>     jspwiki/contrib: tomcat6
> 
>  
>> * package tomcat6-common in version 6.0.41-2 is no longer built from source
>> [...
>>   - broken Build-Depends:
>>     tomcat-maven-plugin: tomcat6-common
> 
> see above, in wheezy
> 
> /me cannot believe adsb might have done a mistake - have we been hacked? ;-)

The cruft report for unstable will look *very* different due to 6.0.41-3
being a *radically* different package.

> tomcat6 (6.0.41-3) unstable; urgency=medium
> 
>   * Build only the libservlet2.5-java and libservlet2.5-java-doc packages.
>     Tomcat 6 will not be supported in Jessie, but the Servlet API is still
>     useful as a build dependency for other packages.
>   * Standards-Version updated to 3.9.6 (no changes)
> 
>  -- Emmanuel Bourg <ebourg at apache.org>  Wed, 22 Oct 2014 09:48:54 +0200

The decision/requirement to remove tomcat6 from jessie has been
requested by the Security team for quite a while, and the 6.0.41-3
source upload effectively does this by just building libservlet2.5-java
(without which we would have many packages with missing r-deps).

I not sure I understand all of the ramifications of the statement I'm
about to make, but for the purposes of squeeze and wheezy, we need to
consider 6.0.41-2 as the last version of a "complete" tomcat6 source
package.

tony

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20141123/464250be/attachment.sig>