Bug#793630: groovy 1.8.6 and libcommons-cli-java 1.3.1 FTBFS

Markus Koschany apo at gambaru.de
Tue Aug 25 21:52:47 UTC 2015


On Wed, 29 Jul 2015 10:49:12 -0300 Miguel Landaeta <nomadium at debian.org>
wrote:
> On Wed, Jul 29, 2015 at 10:00:16AM +0100, Russel Winder wrote:
> > Emmanuel, Miguel,
> 
> Hi Russel,
> 
> > 
> > Apache Groovy 1.x series is no longer maintained. All effort is now on
> > the Apache Groovy 2.4.x and 2.5-SNAPSHOT versions. If Debian is to
> > remove Commons CLI 1.2 then I suggest removing the groovy package since
> > the groovy2 package is in place already, and is the right version for
> > Debian to go with.
> 
> That's right. We are no longer maintaining Groovy 1.x although we have
> several packages depending on it and our latest Debian stable release
> still includes groovy 1.x.
> 
> I stumbled upon this bug due to my attempt to fix CVE-2015-3253 in
> unstable for groovy 1.8.6 (the published fix is relevant for all
> groovy versions since 1.7.0).
> 
> I expect to remove groovy eventually but in the meantime we are
> applying only security bug fixes. We are working on groovy2 now.

Hi all,

I suggest to ask the release team for an exception and to provide the
security fix via testing-proposed-updates. The CVE-fix appears to be
straightforward and could be uploaded afterwards to stable-proposed-updates.

We shouldn't invest too much time in groovy 1.x anymore. I think the
time is better spent on trying to switch all r-deps from groovy 1.x to
2.x as soon as possible and getting rid of this package.

Regards,

Markus




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20150825/bb47ff3d/attachment.sig>


More information about the pkg-java-maintainers mailing list